Re: INVALID state and no known connection.
Hi Daniel, On 09/04/13 21:05 +0200, Daniel Curtis wrote: Hi andika. Another INVALID packet description. I read a lot of information and I don't know what is the truth. Frankly, the first time I see a description, which concerns RAM memory. So, I have a 1 GB of RAM memory. Just for example; free -m command result; used: 640, free: 230 and top command; 891896k total, 677284k used, 214612k free As we can see, system detected 870 MB instead 1 GB (1024 MB). So what is the relationship between INVALID packets and RAM memory? Honestly, I don't understand it. The infomation about connections is stored in /proc/net/ip_conntrack. The maximum connections being tracked are configured in /proc/sys/net/ipv4/netfilter/ip_conntrack_max. If you have a lot of connections, you might want to increase the values (f.e. if you use bittorrent or similar protocols). Every connections beeing tracked needs some RAM. You could also check, if the connections timed out and then increase the timeout values. HTH Rolf -- Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres tigres. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130409195137.gu26...@vzsze.de
Re: Grave apache dos possible through byterange requests
On 24/08/11 08:53 +0200, Dirk Hartmann wrote: it is possible to dos a actual squeeze-apache2 with easy to forge rage-requests: http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html Apache-devs are working on a solution: http://www.gossamer-threads.com/lists/apache/dev/401638 But because the situation seems serious I thought I give you a heads up. Running this script against a squeeze machine with 8 Cores and 24GB Ram you only need 200 threads to kick it out of memory. There is an advisory that recommends some workarounds, depending on the needs of your specific site: http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110824161640.122d38...@minotaur.apache.org%3E regards Rolf -- I never let my schooling get in the way of my education. — Mark Twain -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110825080837.gc13...@vzsze.de
Re: Bind security announce
On 02/12/10 14:09 -0500, Michael Gilbert wrote: https://www.isc.org/software/bind/advisories/cve-2010-3613 https://www.isc.org/software/bind/advisories/cve-2010-3614 This is the first I've heard of these issues. You can submit a bug report against bind9 to encourage the maintainer to start working on a fix for unstable and a backport for lenny. It would be even more helpful if you can extract the patches, apply them, and send a diff against the current packages. Ubuntu issued a USN with fixed packages yesterday. The patches should apply to the corresponding debian versions. http://www.ubuntu.com/usn/usn-1025-1 regards Rolf -- ... And there comes a time when one must take a position that is neither safe, nor politic, nor popular but one must take it because one's conscience tells one that it is right. — Martin Luther King, Jr. signature.asc Description: Digital signature
Re: squirrelmail package in lenny
On 21/02/10 16:19 +, Benjamin Vetter wrote: Furthermore, there is no security support for etch anymore, so it would result in using a rather old php4 package without security support? It's recommended to check your system with deborphan after upgrading to a new release. regards Rolf -- ... Expediency asks the question, 'Is it politic?' ... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100221160527.gn11...@vzsze.de
Re: suspicious text alteration
On 03/02/09 14:42 -0500, Allan Wind wrote: Prank? Root kits usually wants to stay undetected to steal passwords, or use your box as spam relay. There used to be a worm in the 1990ies that would make letters from a terminal fall down. regards, Rolf -- ... But, conscience asks the question, 'Is it right?' ... signature.asc Description: Digital signature
Re: Encrypt file while you are using it
On 24/11/08 22:40 +0100, Lupe Christoph wrote: On Monday, 2008-11-24 at 16:12:56 +0100, Manuel Gomez wrote: Hi, i would like to maintain encrypt an archive in all moment, so i would like to know what software can be this. Now i am using Truecrypt, but when i mount the encrypted directory it's vulnerable. I want to mount the file and that the file can remains encrypt. Whenever you are able to read a file, it has to exist in unencrypted form. Let's say you have an editor or viewer that has builtin-in decryption. It will read the encrypted file, and decrypt it. to be able to work on it, the program has to keep the decrypted form. It also has to send it to some device for you to be able to work on it. The decrypted form will be readable from /dev/mem or /proc/pid/mem. by the superuser and (procfs only) your user. It will also be possible for at least the superuser to intercept what is going to the device. There is nothing you can do to prevent these kinds of attacks. You could use SELinux to prevent these kind of attacks. So, storing your files in an encrypted filesystem with permissions set so that only your user (and the superuser) can read the files is no less secure than storing the files individually encrypted. This depends on the attack vector. Using partition level encryption protects you from giving away your filenames and (to some degree) your atime, mtime and filesize when the partition is not mounted. regards, Rolf -- ... Expediency asks the question, 'Is it politic?' ... signature.asc Description: Digital signature
Re: secure execution of drivers
On 21/11/08 09:29 +0100, Dani wrote: when the driver fault, I was in the midst of rebuilding the system and had multiple virtual machines running. The result was that reiserfs Did those VMs have reiserfs-partitions, too? Reisefs has problems recovering when there are reiserfs-images inside a reiserfs-partition. which completely destroyed. when it had recovered more files on /LOST+FOUND than in the rest of the system ... in short, a disaster. I hope to find some solution for when the driver fail again Use a better fs. regards, Rolf -- ... Expediency asks the question, 'Is it politic?' ... signature.asc Description: Digital signature
Re: Kernel upgrade for 3Ware Driver issues?
On 23/04/08 07:00 -0400, Michael Stone wrote: needs to be scoped. There is no benefit whatsoever to defining *anything bad that happens* as a computer security issue. (Oops, I acidentally deleted my own file--no, you screwed up, Oops, the building burned down--bigger problem than computer security; Oops, aliens destroyed the planet--ditto; oops, flakey driver ate my hard Everybody keeps off site backups! :) disk--systems maintainence issue.) The end result of data security processes should lead you to backups or some other contingency plan, no shoving arbitrary software into stable because it scratches your itch. Instead of blowing the computer security horn because that horn happens to have resources attached to it, you should pursue the general systems maintenance horn because that's what this problem is. (The you here is plural, and this is an industry-wide problem.) Ack. But there should be a way to fix rc-bugs even after release. regards, Rolf -- I died. [...] Five seconds later, I'm getting the upside of 15Kv across the nipples. (These ambulance guys sure know how to party). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why not have firewall rules by default?
On 23/01/08 18:48 +0200, Riku Valli wrote: Debian haven't any open services by default, except portmapper and behind portmapper aren't any services. So no need for host firewall. Ack. I didn't want to argue pro a default firewall. regards, Rolf -- ...about the greatest democrazy in the world. signature.asc Description: Digital signature
Re: When are security updates effective?
* Quoting Mikko Rapeli ([EMAIL PROTECTED]): On Fri, Sep 01, 2006 at 06:56:17PM -0400, Michael Stone wrote: On Sat, Sep 02, 2006 at 12:28:17AM +0300, Mikko Rapeli wrote: - can a process running vulnerable code be exploited to not show the shared libraries and other non-shared libraries and files it had opened for reading at some point? Of course it can. And that's irrelevant to the question at hand--installing a security update at that point isn't going to help. I think it is relevant: should the effectiveness actions in general be based on the host where the update was applied through lsof, package dependencies provided and digitally signed by Debian, some other information provided and digitally signed by the Debian security team in an advisory or something else? The problem here is that when the software has been exploited already, installing the security update doesn't fix the problem anymore. When an admin takes the chance and trusts lsof, that's fine. If low privilege process starts spamming the world he'll propably notice. But if making these upgrades effective is ever automated, I wouldn't like to take that chance. True, but in the example from above it's too late for that. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: When are security updates effective?
* Quoting Mikko Rapeli ([EMAIL PROTECTED]): On Tue, Aug 29, 2006 at 10:54:45PM +0200, Moritz Muehlenhoff wrote: Mikko Rapeli wrote: Could Debian security advisories help a bit, since the people making the packaging changes propably know how to make the changes effective on a running installation too? If there's anything special to do (e.g. kernel or glibc) we alredy add this to the DSA text. Yes, that's great, but some of the non-special cases are not that obvious. Should I reboot or at least restart kdm after libtiff4 update? On one host I get the feeling I don't since 'lsof 2/dev/null | grep libtiff' returns nothing. Then again this would suggest, that at least kde/kdm needs to be restarted: # apt-cache rdepends libtiff4|grep kde kdelibs4 kdegraphics-kfile-plugins So which one is it? You can check with # lsof +L1 It will show you open Files that have been unlinked. If any of those are part of the upgraded packages, you restart that process. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
* Quoting Uwe Hermann ([EMAIL PROTECTED]): iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host iptables -A OUTPUT -j ACCEPT -d 127.0.0.1 Correct me if I'm wrong, but I think this would also allow incoming traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing his IP address to appear to be 127.0.0.1 could send _any_ traffic to you and you would ACCEPT it, basically rendering the firewall useless. Did I miss anything? Maybe this: | echo 1 /proc/sys/net/ipv4/conf/all/rp_filter - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
* Quoting LeVA ([EMAIL PROTECTED]): iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT But if one can spoof 127.0.0.1, then one can spoof anything else, so creating any rule with an ip address matching is useless. No? If I set up my firewall to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone can spoof that too. So what's the point of creating rules? :) The script under scrutiny was intended for a laptop. A router or firewall setup is something different and should not route traffic with spoofed addresses. rp_filter should catch this easily, if you can use it. If not, an IP-based rule is ok, IMHO. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
* Quoting Michael Stone ([EMAIL PROTECTED]): On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote: The script under scrutiny was intended for a laptop. A router or firewall setup is something different and should not route traffic with spoofed addresses. rp_filter should catch this easily, if you can use it. If not, an IP-based rule is ok, IMHO. No, if you mean to accept loopback traffic then you should accept -i lo. If nothing else, all of 127.0.0.0/8 is loopback addresses, not just 127.0.0.1, and I have seen software that makes use of that. Locally, yes, but on a firewall or router? _And I was referring to 192.168.x.x addresses. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
* Quoting Marc Haber ([EMAIL PROTECTED]): On Thu, Mar 02, 2006 at 11:09:28PM +0100, Florian Weimer wrote: I typically use an Exim .forward file which invokes a special script using pipe. The script creates a file, and a cron job which runs periodically checks for the existence of that file and performs the desired action when it exists. This means that DSA sent in quick succession only trigger the action once. So you have debian-security subscribed on all systems, and all systems need to run a publicly reachable mail system? You can trigger the update via ssh or wget. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
* Quoting Michal Sabala ([EMAIL PROTECTED]): For the past month or so security updates have been very slow for us (~5KB/sec). It appears that the first A record for the security.debian.org is the problem. host -t a security.debian.org security.debian.org has address 82.94.249.158 - slow security.debian.org has address 128.101.80.133 security.debian.org has address 194.109.137.218 The order of the dns answers is random, IIRC: ~$ dig +short security.debian.org A 128.101.80.133 194.109.137.218 82.94.249.158 - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CVE-2006-0019
* Quoting Jan Luehr ([EMAIL PROTECTED]): Hello, as I'm using KDE daily I'm concerned about CVE-2006-0019 [1]. Will Sarge be patched next week? (Otherwise I'll patch build KDE by myself) Sarge has been patched yesterday, see DSA 948-1. Keep smiling Whipe that smirk off your face :) Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
* Quoting kevin bailey ([EMAIL PROTECTED]): hi, these ports seem to be open by default on a standard sarge setup PORT STATESERVICE 21/tcp open ftp This is not part of the default install. 25/tcp open smtp This is only open to localhost. 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 1720/tcp filtered H.323/Q.931 This is not part of the default install. what is 1720/tcp filtered H.323/Q.931 ? `netstat -tulpen` shows you the listening UDP/TCP services and the corresponding program names. and how do i turn it off if it is uneccessary. Uninstall the program or edit the configuration files for the services, edit /etc/inetd.conf, /etc/hosts.allow. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
* Quoting Michelle Konzack ([EMAIL PROTECTED]): Am 2005-11-28 15:17:03, schrieb Rolf Kutz: s/Mozilla/links/ :-) Unfurtunatly there is a Java-Script problem with (e)links. That's a feature. Other browsers have security problems with java-script :) - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
* Quoting Michelle Konzack ([EMAIL PROTECTED]): Am 2005-11-25 14:34:24, schrieb Rolf Kutz: It is possible, either as different users or with If you allow to run apps as different user on the same desktop, you pick security holes in your system. Yes, but it would also solve some. different profiles (mozilla profile manager). You I know, but this mean, I need to maintain two bookmarks, passwords... Not if you use one for browsing and one for your internal governmental work. could also use Mozilla and Mozilla Firefox simultaneously. ...and by sponsoring the hardware industry by buying more memory. s/Mozilla/links/ - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
* Quoting Michelle Konzack ([EMAIL PROTECTED]): Unfortunatly it is not possibel to open two instances of mozilla. ( Which may crash seperatly :-/ ) It is possible, either as different users or with different profiles (mozilla profile manager). You could also use Mozilla and Mozilla Firefox simultaneously. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
* Quoting Jasper Filon ([EMAIL PROTECTED]): Well, obviously it is not a _security_ bug, since it has nothing to do with security. However, it is a bug, maybe even a critical one. As long as the bug does not compromise the security of the system (enables unauthorised execution of code, access to memory of other process of manipulating the content of the other tabs or something like that) is has nothing to do with security and hence not with this list (debian-security). Security is not just related to execution of malicious code. It also has to do with data integrity or usability of software. A vulerability to a DoS-Attack is IMHO a security bug. If it justifies a security update is another question, but IIRC every security bug does. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: any DSA for CAN-2004-0930
* Quoting Hideki Yamane ([EMAIL PROTECTED]): It has been fixed for unstable at least. How about CAN-2004-0600 and CAN-2004-0686 for samba in stable? There is no Samba3 in stable. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
* Quoting Bas ([EMAIL PROTECTED]): If you do not run Portsentry you have a problem.. I disagree. There could be another process listening at that. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MD5 collisions found - alternative?
* Quoting Matthew Palmer ([EMAIL PROTECTED]): On Tue, Aug 24, 2004 at 09:11:34PM -0400, Michael Stone wrote: On Wed, Aug 25, 2004 at 12:39:57AM +0200, Rolf Kutz wrote: This depends on how the attack really works. If you just need to flip a few bits in a document it might just look like typos (think crc32). If your document is a tarball or a .deb you might be able to insert a lot of garbage to it without being noticed. Right, but is someone inserting garbage into a .deb really a threat? I'd be more concerned about the insertion of malicious code... I imagine that the garbage would be to bring the md5sum back to the original to hide the trojan, rather than hey, look, I can stick garbage on the end of the .deb and still keep the same md5sum! whee!. Right! - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MD5 collisions found - alternative?
* Quoting Almut Behrens ([EMAIL PROTECTED]): On Tue, Aug 24, 2004 at 09:18:46PM +0200, Danny De Cock wrote: a cryptographic hash function, such as md5, sha1, ripemd-160, to name the most commonly used cryptographic hash functions are constructed to have at least the following properties: 1. it is hard to find two distinct inputs to the hash function, say x and y, so that hash(x) equals hash(y) 2. they are one-way, i.e., it is hard to find the value x given hash(x) just to make sure we're using the same terminology: 1. is what I'd consider collision resistance, whereas the oneway aspect (2.) refers to the difficulty of retrieving the original string (x above) used in computing the hash in the first place. ACK. for password schemes, it is important that the hash function used is one-way: if one knows the password, it must be very simple/easy to compute the hash of that password, but if someone obtained the hash of a password, it must be very difficult to find something, say z, so that hash(z) equals the hash of the password. but that's property 1 then (i.e. collision resistance), isn't it? And that's essentially what I was trying to point out, as I don't think that, WRT password verification, you'll ever need to know the original x. It's completely sufficient to find some other password y, z, or whatever, such that hash(some_password) == stored_hash where the stored/given hash has originally been computed as hash(x). Thus, I'd still say it's not the oneway aspect that matters here, but rather the collision resistance of the hash function... If you can calculate the password from the hash it would be a flaw in the one way funktion. If you can calculate a collision from the hash and the known password, that would be a lack off collision resistance. Of course, as Mike has already pointed out, it's a completely different story whether you can find _any_ collision (for an arbitray hash value), or a collision for some _given_ cryptographic hash value. The difference between a hash for a signature and a hash for a password is that you know the plain text in the first case. does this clarify things a bit more? :)) not so sure... :) -- i.e. I don't really see a huge conceptual difference between two 'passwords' or 'documents' hashing to the same value... See above. Also, here again, as I tried to point out in my previous post, I'd say that with finding passwords, you have more degrees of freedom. All But less knowledge. that matters is that their hashes are identical, when you want to get access -- the string itself is totally irrelevant. While with signing It has to meet certain criterias like being printable characters and having a certain length, but it doesn't have to have a meaning. documents, you'd probably have some very specific message in mind (at least not some random string) that you'd like to fake as originating from someone else. This depends on how the attack really works. If you just need to flip a few bits in a document it might just look like typos (think crc32). If your document is a tarball or a .deb you might be able to insert a lot of garbage to it without being noticed. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HTTP Browser Authentification Bug and some more bugs
* Quoting Konstantin ([EMAIL PROTECTED]): further information are here: http://www.ietf.org/rfc/rfc1945.txt great idea until this is fixed(not mine): Stop all http and https servers and don't visit sites which works with the from design related unsecure http protocol! HEY, don't blame me, it's translated from german to english, read for yourself: http://www.heise.de/security/news/meldung/46175 Hehe, Aprils Fools Day :) The other ones seems to be real. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HTTP Browser Authentification Bug and some more bugs
* Quoting Konstantin ([EMAIL PROTECTED]): further information are here: http://www.ietf.org/rfc/rfc1945.txt great idea until this is fixed(not mine): Stop all http and https servers and don't visit sites which works with the from design related unsecure http protocol! HEY, don't blame me, it's translated from german to english, read for yourself: http://www.heise.de/security/news/meldung/46175 Hehe, Aprils Fools Day :) The other ones seems to be real. - Rolf
Re: Checking what running program are using old libraries
* Quoting Ronny Adsetts ([EMAIL PROTECTED]): I remember someone posting a method for locating programs that are running with old libraries, but don't recall where and I can't seem to find the right words whilst invoking google... lsof +L1 - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Checking what running program are using old libraries
* Quoting Ronny Adsetts ([EMAIL PROTECTED]): I remember someone posting a method for locating programs that are running with old libraries, but don't recall where and I can't seem to find the right words whilst invoking google... lsof +L1 - Rolf
Re: Firewall: Need Advice
This question would be better off on debian-firewall. * Quoting EErdem ([EMAIL PROTECTED]): I've been using iptables (or i assuming that). But at boot time it gives an error: Aborting iptables load: unknown rulesets active . I couldn't find the problem. I searched via google, and found dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables documents. But i think i lost some points, because i don't understand something. Read and edit /etc/default/iptables Before this i want to ask that, do i need firewall? Yes, i know this is very important tool for whose, who taking care about security. And i can say i'm a paranoid about security. But all of my ports closed. There isn't any service listen. But sometimes i need httpd and ssh. If your services (ports) are closed you don't need a firewall. If you need a service (like ssh) you would need to open that port anyway. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall: Need Advice
This question would be better off on debian-firewall. * Quoting EErdem ([EMAIL PROTECTED]): I've been using iptables (or i assuming that). But at boot time it gives an error: Aborting iptables load: unknown rulesets active . I couldn't find the problem. I searched via google, and found dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables documents. But i think i lost some points, because i don't understand something. Read and edit /etc/default/iptables Before this i want to ask that, do i need firewall? Yes, i know this is very important tool for whose, who taking care about security. And i can say i'm a paranoid about security. But all of my ports closed. There isn't any service listen. But sometimes i need httpd and ssh. If your services (ports) are closed you don't need a firewall. If you need a service (like ssh) you would need to open that port anyway. - Rolf
Re: Hacked - is it my turn? - interesting
* Quoting Phillip Hofmeister ([EMAIL PROTECTED]): On Tue, 03 Feb 2004 at 06:11:34PM -0500, Rolf Kutz wrote: You would get a ICMP host-unreachable from the last router in that case. I don't believe this is always the case. True. It may be the RFC specification that an ICMP host-unreachable be sent, but in practice this is no where near always the case. Worse things happen. One of the largest Mailproviders in Germany (gmx.de) blocks ICMP. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
* Quoting François TOURDE ([EMAIL PROTECTED]): But I think DROP is the best way, 'cause it slow down NMAP or other sniffers. Sniffers must wait packet timeout, then retry, then wait, etc. Your fooling yourself. What prevents sniffers from sending multiple packets at once[0]. And you're breaking the TCP-Protocol, which makes debugging much harder. - Rolf [0] I don't think that portscans are a threat anyway and you increase your network load by dropping packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
* Quoting Phillip Hofmeister ([EMAIL PROTECTED]): As mentioned before, it is a port-scanner. Anyhow, TCP-Reset cans turn Ack. a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood because now your host is generating traffic by replying to these otherwise useless packets. You could set a limit rule on sending a A DoS attack is a different scenario than a port scan. In normal situation you create more load cause of the TCP-retransmission. TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. You would get a ICMP host-unreachable from the last router in that case. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
* Quoting François TOURDE ([EMAIL PROTECTED]): But I think DROP is the best way, 'cause it slow down NMAP or other sniffers. Sniffers must wait packet timeout, then retry, then wait, etc. Your fooling yourself. What prevents sniffers from sending multiple packets at once[0]. And you're breaking the TCP-Protocol, which makes debugging much harder. - Rolf [0] I don't think that portscans are a threat anyway and you increase your network load by dropping packages.
Re: Hacked - is it my turn? - interesting
* Quoting Phillip Hofmeister ([EMAIL PROTECTED]): As mentioned before, it is a port-scanner. Anyhow, TCP-Reset cans turn Ack. a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood because now your host is generating traffic by replying to these otherwise useless packets. You could set a limit rule on sending a A DoS attack is a different scenario than a port scan. In normal situation you create more load cause of the TCP-retransmission. TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but in this case it does make *some* sense. If someone is randomly port scanning class C's and they hit your IP, get no response from an ICMP (1) echo-request (8) and then try a few ports and get no TCP-Resets, they are likely to think you are a dead IP[1]. You would get a ICMP host-unreachable from the last router in that case. - Rolf
Re: http://security.debian.org - down?
* Quoting Maria Rodriguez ([EMAIL PROTECTED]): That appears to be klecker.debian.org which isn't currently responding to pings, which in itself isn't scary, but it looks as though it may have been inaccessible for a few days now. Does anyone know what's going on? http://lists.debian.org/debian-news/debian-news-2004/msg5.html - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: http://security.debian.org - down?
* Quoting Maria Rodriguez ([EMAIL PROTECTED]): That appears to be klecker.debian.org which isn't currently responding to pings, which in itself isn't scary, but it looks as though it may have been inaccessible for a few days now. Does anyone know what's going on? http://lists.debian.org/debian-news/debian-news-2004/msg5.html - Rolf
Re: aide, apt-get and remote management...
* Quoting Douglas F. Calvert ([EMAIL PROTECTED]): This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. Run aide --update right after the upgrade and compare the output with dpkg -L of the package. The replace /var/lib/aide.db with /var/lib/aide.db.new. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: aide, apt-get and remote management...
* Quoting Douglas F. Calvert ([EMAIL PROTECTED]): This is the problem. I am having trouble implementing a solution to update the database after an upgrade and still maintain its validity. Run aide --update right after the upgrade and compare the output with dpkg -L of the package. The replace /var/lib/aide.db with /var/lib/aide.db.new. - Rolf
Re: Should I use Snort/PortSentry?
* Quoting Kristof Goossens ([EMAIL PROTECTED]): On Thu, May 22, 2003 at 08:46:47PM -0400, Rob French wrote: So, are any network/port-related tools useful? In my personal opinion it is ALWAYS usefull to know what is going on on your system. No mather how little ports are open... You said it was for your laptop, and thats why you should certainly use these tools... A laptop travels with the owner and has the specific feature of being plugged into the internal network most of the time. This is at home as well as on location... With these tool, you are adding up more complexity to your setup and might become vulnarable. Remember the latest snort exploit. So the extra security layer made your system unsecure. Snort is ok to protect a network, when installed on a separate host. I don't see any use of opening more ports in order to increase security, I never understood portsentries approach. Why not let the TCP-Stack do it's job in RSTing incoming connections, maybe with a little help from netfilter. Netfilter can log incomming connection attempts, too, if you really need to know. YMMV, Rolf
Re: Apt-get only security patches
* Quoting Rudolph van Graan ([EMAIL PROTECTED]): What I would have like to see was something like this: [Please think of this in terms of stable or testing] apt-listchanges. It displays the new changelog entries from the debs before installing them, but has to download them first, so no bandwidth saving. The only (and incomplete) other way I see is reading the DSAs, but this doesn't apply to testing. But if you run testing, you can't rely on the security team anyway. - Rolf
Re: Have I been hacked?
* Quoting Ian Goodall ([EMAIL PROTECTED]): Thanks everyone for your help. It must be his computer as all the computers I usually log in from are all fine. I am still quite new to all of this but we all have to start somewhere :) Check the Fingerprint against the one from your machine. Check the keys in ~/.ssh/known_hosts on his machine against your public key and check the IP-Adress in there. Maybe the logged into another server with the same IP or configured name (in ~/.ssh/config) earlier and that caused the mismatch. - Rolf
Re: Port forwarding wrong after days
* Quoting Kay-Michael Voit ([EMAIL PROTECTED]): Then I stopped trying But now, without changing anything, it works. As anyone an explanation for this behavior? Did you flush the conntracktable? - rk
Re: VPN: SSH or IPSec???
* Quoting Felipe Martínez Hermo ([EMAIL PROTECTED]): I have a 5-site network. Each with a Cable/DSL link. Currently I have a Netscreen box on each site. I want to substitute the NS box with Linux boxes so I can manage bandwith, set up a firewall and have a configuration which is built up on standards. I will have road warriors accessing through DSL or modems with Win2k computers. Use IPsec. It's a standard and it's supported by win2k natively. - Rolf
Re: VPN: SSH or IPSec???
* Quoting Florian Weimer ([EMAIL PROTECTED]): Rolf Kutz [EMAIL PROTECTED] writes: Use IPsec. It's a standard and it's supported by win2k natively. But Felipe still needs a VPN to run IPsec on. Of course, he could use GRE tunneling for that. 8-) Would he? Why not use IPsecs tunnel mode? But in his case, it might be better to terminate an encrypted VPN on the routers. In this case, the Windows IPsec support doesn't matter. ACK, but he talked about road worriors with win2k. - Rolf
Re: H323 Gateways
* Quoting Daniel Husand ([EMAIL PROTECTED]): Hi, does anyone know if its possible to setup this: Clients - NAT - Internet - NAT - Clients with iptelephony without opening your NAT servers to the world. Any software suggestions / tricks / ideas? You can use the ip_conntrack_h323 module from netfilters patch-o-matic or a tunnel (ipsec, cipe, ...) between the to networks. - rk -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: H323 Gateways
* Quoting Daniel Husand ([EMAIL PROTECTED]): Hi, does anyone know if its possible to setup this: Clients - NAT - Internet - NAT - Clients with iptelephony without opening your NAT servers to the world. Any software suggestions / tricks / ideas? You can use the ip_conntrack_h323 module from netfilters patch-o-matic or a tunnel (ipsec, cipe, ...) between the to networks. - rk -- http://www.stop1984.com/
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Quoting Marc Demlenne ([EMAIL PROTECTED]): echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Untill you installed a patched kernel, yes, if you don't need to dynamically (un)loaded modules. - rk -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Quoting Marc Demlenne ([EMAIL PROTECTED]): echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? You can't dynamically load and unload modules anymore. If you load all the modules you need before doing it, you're fine. It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Untill you installed a patched kernel, yes, if you don't need to dynamically (un)loaded modules. - rk -- http://www.stop1984.com/
Re: OPIE
* Quoting Cyrus Dantes ([EMAIL PROTECTED]): I've already installed opie-client and opie-server and already used opiepasswd to generate my OTP keys and such. I have verified my login is in /etc/opiekeys and other such needed items. Now i was wondering how i could make OpenSSH 3.5 accept my OTP passwords. Any ideas on how to make it do this? IIRC you need to disable privilege separation, enable PAMAuthenticationViaKbdInt and change /etc/pam.d/ssh according to /usr/share/doc/libpam-opie/ hth, Rolf -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OPIE
* Quoting Cyrus Dantes ([EMAIL PROTECTED]): I've already installed opie-client and opie-server and already used opiepasswd to generate my OTP keys and such. I have verified my login is in /etc/opiekeys and other such needed items. Now i was wondering how i could make OpenSSH 3.5 accept my OTP passwords. Any ideas on how to make it do this? IIRC you need to disable privilege separation, enable PAMAuthenticationViaKbdInt and change /etc/pam.d/ssh according to /usr/share/doc/libpam-opie/ hth, Rolf -- http://www.stop1984.com/
Re: Re: is iptables enough?
* Quoting I.R. van Dongen ([EMAIL PROTECTED]): On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: This should be more than enough. I have been running a mailserver on a Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot mail --- never had a problem. Hah! Is nothing! I run a cablemodem firewall, multiple VPN's, DNS, with snort, tiger, and other tools on a 486 with 16MB of RAM! I hope that machine has scsi disks like my gateway (120MB 1GB) since with that low on ram your machine is always swapping. That's usually no problem, but IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M) your How is that, since IDE and SCSI-Disks are having the same mechanics? disks will be more standby. More RAM is always good. - Rolf -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about SSH / IPTABLES
* Quoting Iñaki Martínez ([EMAIL PROTECTED]): So i client can access the server via SSH, but s/he CAN NOT ssh to other servers from my server... How can i do this chmod o-x /usr/bin/ssh - rk -- What sort of person, said Salzella patiently, sits down and writes a maniacal laugh? And all those exclamation marks, you notice? Five? A sure sign of someone who wears his underpants on his head. Opera can do that to a man.
Re: question about SSH / IPTABLES
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): 2. Mount /home, /tmp and any other place users might have write access on with the noexec switch, so they can only use binaries installed (and allowed to them) on the system. This does not prevent them from executing binaries. This has been discussed here before. - rk -- What sort of person, said Salzella patiently, sits down and writes a maniacal laugh? And all those exclamation marks, you notice? Five? A sure sign of someone who wears his underpants on his head. Opera can do that to a man.
Re: Cryptoswap -- was Re: raw disk access
* Quoting Hubert Chan ([EMAIL PROTECTED]): Do the kerneli modules (officially) work with encrypted swap? I know It works for me. encryption, which may allocate new memory, ad infinitum. loop-AES takes care of that explicitly, by preallocating memory, but I don't think cryptoapi/cryptoloop does, so you may be taking your chances with it. You can use loop-jari with it. With loop-aes you're bound to one cipher. YMMV. - rk -- Ahahahahaha! Ahahahaha! Aahahaha! BEWARE! Yrs sincerely The Opera Ghost -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cryptoswap -- was Re: raw disk access
* Quoting Hubert Chan ([EMAIL PROTECTED]): Do the kerneli modules (officially) work with encrypted swap? I know It works for me. encryption, which may allocate new memory, ad infinitum. loop-AES takes care of that explicitly, by preallocating memory, but I don't think cryptoapi/cryptoloop does, so you may be taking your chances with it. You can use loop-jari with it. With loop-aes you're bound to one cipher. YMMV. - rk -- Ahahahahaha! Ahahahaha! Aahahaha! BEWARE! Yrs sincerely The Opera Ghost
Re: Cryptoswap -- was Re: raw disk access
* Quoting Joshua SS Miller ([EMAIL PROTECTED]): Cryptoswap? Hmm sound like something I was thinking about earlier today. Do you have a good resource for this? http://www.kerneli.org/index.php - rk -- Ahahahahaha! Ahahahaha! Aahahaha! BEWARE! Yrs sincerely The Opera Ghost
Re: binding samba to specific interface...
* Quoting Kaddik ([EMAIL PROTECTED]): Is it possible to specify the interface that samba should listen on? I'm I missing something, or is package-dropping in iptables the only method? I'm using woody w 2.4.18 kernel.. 'bind interfaces only' in smb.conf But you should do source checking with iptables. - rk -- Ahahahahaha! Ahahahaha! Aahahaha! BEWARE! Yrs sincerely The Opera Ghost -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall advice
* Quoting andrew lattis ([EMAIL PROTECTED]): #connections to lo $iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT #allow the rest $iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT #log the rest $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p tcp -j LOG --log-prefix output tcp: $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst $log_limit_burst -p udp -j LOG --log-prefix output udp: You should not forget to log other protokols like icmp, ... It's best to log any packet here. - rk -- Ahahahahaha! Ahahahaha! Aahahaha! BEWARE! Yrs sincerely The Opera Ghost
Re: security updates for testing?
* Quoting martin f krafft ([EMAIL PROTECTED]): in short: does Debian support security updates for testing? No. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong.
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): Wondering if some people know of some content-aware proxies/filters, to attempt to block [some of] those dangerous products (apart from maintaining a black-list...) Since the traffic is encrypted, content filtering will not trigger. Certainly, it will always be possible to encapsulate anything in HTML very sharply, but some filtering could be made still? If you allow traffic between the client and the Internet at all, tunneling will always be possible. (Maybe even run a browser on the proxy and have it check it is able to display what goes through? sounds a bit freak, doesn't it?) Why do you allow people to install software on the clients, if you don't trust them. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): Since the traffic is encrypted, content filtering will not trigger. Thats true for HTTPS, not HTTP. According their website, the tunnel is AES-encrypted. Why do you allow people to install software on the clients, if you don't trust them. people do what they please. my job is [to try] to keep the network secure, in spite of users installing whatever. Mission impossible. Tunnels exist for almost every protocol. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): Wondering if some people know of some content-aware proxies/filters, to attempt to block [some of] those dangerous products (apart from maintaining a black-list...) Since the traffic is encrypted, content filtering will not trigger. Certainly, it will always be possible to encapsulate anything in HTML very sharply, but some filtering could be made still? If you allow traffic between the client and the Internet at all, tunneling will always be possible. (Maybe even run a browser on the proxy and have it check it is able to display what goes through? sounds a bit freak, doesn't it?) Why do you allow people to install software on the clients, if you don't trust them. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong.
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): Since the traffic is encrypted, content filtering will not trigger. Thats true for HTTPS, not HTTP. According their website, the tunnel is AES-encrypted. Why do you allow people to install software on the clients, if you don't trust them. people do what they please. my job is [to try] to keep the network secure, in spite of users installing whatever. Mission impossible. Tunnels exist for almost every protocol. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong.
Re: suspicious apache log entries
* Quoting Erik Rossen ([EMAIL PROTECTED]): Imagine instead a car that is always unlocked and is used nightly by hooligans when they go joy-riding. That's why leaving a car unlocked is illegal in Germany. On the other hand, you still need the key to start it and a hooligan wouldn't mind braking the window, anyway. The warning message + lockup technique is more like leaving a note behind the wind-shield of the car and locking its doors. In the real world, such behavior might be called being a concerned citizen. The 'silver bullet' as described above is taking down TCP-Stack, bringing down the whole server with impacts on other services as well. That's more like stealing the tyres of the car. Looking up the maintainer of that server in the whois-db and sending an email would be the 'concerned citizen' approach. - rk
Re: Mail relay attempts
* Quoting Jones, Steven ([EMAIL PROTECTED]): Ive found port sentry really good for detecting port scans and then routeing the return packets to no where. That makes you open to DoS-Attacks. Someone could scan you with spoofed source-IP and disconnect your box. A tarpit is a much better aproach than a (dynamic) blocklist. - Rolf
Re: Mail relay attempts
* Quoting Craig Sanders ([EMAIL PROTECTED]): PS: actually, the only other thing you could do is set firewall rules blocking inbound tcp port 25. if your mail server is the primary MX for your domain then you would also need a secondary MX and open the firewall for just that machine. spammers will still try - the only real difference is that you'll get entries in your kernel log rather than in your mail log. if you do this, i recommend using iptables and DROP the packet rather than REJECT itthis wastes the spammer's time while the connection times out. Drop doesn't really prevent scans and spammers will scan for open ports first. If you really want to achive something like that, you should install a 'Teergrube': http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html - Rolf
Re: encrypting/decrypting partitions on the fly?
* Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): Hello! Anybody know of a tool like PGPDisk for Linux? cfs is in stable. - Rolf
Re: Portsentry issue/problem
* Quoting Zelko Slamaj ([EMAIL PROTECTED]): What I realized is: .) 'till now it is safe to leave it that way but .) those kiddies scan your computer and think that these ports _are_ indeed open, so you have more attack-tries, which results in longer log-files and longer ip-chains. Plus you're open to DOS-attacks, possible exploits against portsentry itself, etc. and it doesn't increase your security. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: woody ssh update and PAM keyboard-interactive authentication won't work.
* Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): Thanks for this info -- if you happen to come across the reference again, I'd appreciate it if you could pass it along. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=151203repeatmerged=yes - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: woody ssh update and PAM keyboard-interactive authentication won't work.
* Quoting Chuck Peters ([EMAIL PROTECTED]): It doesn't appear as though this keyboard-interactive authentication is something we want or need, but I don't know what it means and I haven't found anything in the ssh or sshd man pages or the libpam-doc that explains what it means. Would someone please point me to appropriate documentation or explain what is PAM keyboard-interactive authentication? One Time Passwords e.g. (libpam-opie). But could be any PAM challenge-response dialog. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: woody ssh update and PAM keyboard-interactive authentication won't work.
* Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): From: Rolf Kutz [EMAIL PROTECTED] One Time Passwords e.g. (libpam-opie). But could be any PAM challenge-response dialog. Does anyone know whether there's any chance this can/will get fixed in the future? I had been planning to use opie stuff on some machines so that when I didn't have my private key for remote access, I'd be able to log in from a terminal which I didn't trust too much. It seems a real shame not to be able to use this functionality... You can use opie if you turn off privilege separation. This reduces some security while opie might add some, depending on your situation. I read somewhere, that they work on a fix, but it could take a while. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Good Day - spamassin
* Quoting Alvin Oga ([EMAIL PROTECTED]): hi ya a silly question ... if spamassassin caught the spam, i assume it still received the spam and dumped it into a rejected spam folder ??? i would rather see that the spam senders see a bounce email that fills up their boxes with returned undeliverables.. Their or someone elses inbox. Most spam is send with faked From:-header. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: will compression still work in this ssh release?
* Quoting Robert Brown ([EMAIL PROTECTED]): Sorry if this has been answered elsewhere, but there did not seem to be a mention of whether compression works with this latest release of OpenSSH 3.4, particularly on the server side. I depend upon compression in various scripts and would like to know whether those must be changed or not. It works here, with kernel-2.4 on i386. You can check with ssh -v. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Using GnuPG or S/MIME?
* Quoting Patrick Hsieh ([EMAIL PROTECTED]): Hello, We are condisering to use GnuPG or S/MIME to encrypt or sign the email in the company. Can someone give me any advice or suggestion? http://www.gnupg.org/aegypten/ combines both. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Using GnuPG or S/MIME?
* Quoting Patrick Hsieh ([EMAIL PROTECTED]): Hello, We are condisering to use GnuPG or S/MIME to encrypt or sign the email in the company. Can someone give me any advice or suggestion? http://www.gnupg.org/aegypten/ combines both. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is this an attack on my sendmail?
* Quoting César Augusto Seronni Filho ([EMAIL PROTECTED]): hi guys in my maillog I am receiving many strange message on sendmail like that: May 10 18:52:50 xserver sendmail[]: g4AIRfa02119: to=[EMAIL PROTECTED], ctladdr=one of my user mail (638/45), delay=03:25:09, xdelay=00:00:00, mailer=esmtp, pri=607606, relay=company.com., dsn=4.0.0, stat=Deferred: Connection timed out with company.com. company.com might be down. Sendmail will retry later. look that one of my user mail is one registred email with my domain. The messages points aways to the same user email. and the other strange thing is that when i try to check the conections(netstat -at) there are one strange like that: tcp0 1 myserver:35169 mywebos.com:smtpSYN_SENT when I use netstat -atn looks like that: tcp0 1 myserver:35169208.49.229.140:25 SYN_SENT and look that this ip(208.49.229.140.25) is not owned by mywebos.com I think it is spoofed Probably a typo: 18:07 rk@afrika:~$ host 208.49.229.140 Name: mywebos.com Address: 208.49.229.140 Maybe this is an attack? Unlikely. The connections origin is your server. What i can do? Lean back. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is this an attack on my sendmail?
* Quoting César Augusto Seronni Filho ([EMAIL PROTECTED]): hi guys in my maillog I am receiving many strange message on sendmail like that: May 10 18:52:50 xserver sendmail[]: g4AIRfa02119: to=[EMAIL PROTECTED], ctladdr=one of my user mail (638/45), delay=03:25:09, xdelay=00:00:00, mailer=esmtp, pri=607606, relay=company.com., dsn=4.0.0, stat=Deferred: Connection timed out with company.com. company.com might be down. Sendmail will retry later. look that one of my user mail is one registred email with my domain. The messages points aways to the same user email. and the other strange thing is that when i try to check the conections(netstat -at) there are one strange like that: tcp0 1 myserver:35169 mywebos.com:smtpSYN_SENT when I use netstat -atn looks like that: tcp0 1 myserver:35169208.49.229.140:25 SYN_SENT and look that this ip(208.49.229.140.25) is not owned by mywebos.com I think it is spoofed Probably a typo: 18:07 [EMAIL PROTECTED]:~$ host 208.49.229.140 Name: mywebos.com Address: 208.49.229.140 Maybe this is an attack? Unlikely. The connections origin is your server. What i can do? Lean back. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Iptables config
* Quoting Mathias Palm ([EMAIL PROTECTED]): iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Sorry, I dont get that. The manpage says: ...ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions... But if I initiate a connection, it shouldn't have seen packages in both directions, should it? What am I missing? That's for the FORWARD-Chain. In the INPUT-Chain, you only have one Direction, so it sees syn,ack-package and treats the connection as established. ...RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error... That's where the protocoll-helpers come into place. The keep track of what's happening at the protocol-level and see, when a data-connection is requested. That also makes them potentially more vulnerable to exploits. How does iptables find out, that a newly initiated connection is related to another existing one? By process number, by vicinity in time or something other? In the FTP-case it sees the PORT-command inside the ftp-connection. With other connections it uses some sort of heuristics. You could also say it kind of guesses. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: protection against buffer overflows
[EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: it indeed sounds VERY interesting (not only to me) :-) although I never dealt with special kernel modifications. But I'll give it a go..can anyone recommend any other kernel security patch sites? ..would be great! I never tested it, but it looks very cool: http://www.rsbac.org/overview.htm - Rolf
Re: ping problem
Halil Demirezen ([EMAIL PROTECTED]) wrote: How can i solve the problem that after i ping my computer(server) with ping localhost for about 160 times, the system starts not to give response and the load average of the cpu raises to the %81. how can i solve this system problem.. You can limit user-resources with ulimit (man bash). should i remove ping command? No, ping is a very useful tool. -Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping problem
Gergely Trifonov ([EMAIL PROTECTED]) wrote: it's okay if you just remove the setuid bit from /bin/ping (chmod -s /bin/ping), so users won't be able to run it This doesn't help. Luser will be able to create a 100% load with any command, so this doesn't help and ping is a useful tool. Try ulimit instead. -Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping problem
Halil Demirezen ([EMAIL PROTECTED]) wrote: How can i solve the problem that after i ping my computer(server) with ping localhost for about 160 times, the system starts not to give response and the load average of the cpu raises to the %81. how can i solve this system problem.. You can limit user-resources with ulimit (man bash). should i remove ping command? No, ping is a very useful tool. -Rolf
Re: ping problem
Gergely Trifonov ([EMAIL PROTECTED]) wrote: it's okay if you just remove the setuid bit from /bin/ping (chmod -s /bin/ping), so users won't be able to run it This doesn't help. Luser will be able to create a 100% load with any command, so this doesn't help and ping is a useful tool. Try ulimit instead. -Rolf
Re: Re: How do I disable (close) ports?
J. Paul Bruns-Bielkowicz ([EMAIL PROTECTED]) wrote: I have a restricted services file and a default (open) services file. Some services are disabled, i.e. 9/tcp opendiscard 13/tcp opendaytime 109/tcpopenpop-2 987/tcpopenunknown by commenting them out of /etc/services. Commenting out things in /etc/services doesn't disable anything. If you want to disable services, edit /etc/inetd.conf, /etc/hosts.allow, /etc/hosts.deny and the scripts in /etc/init.d/, but maybe that's what you meant. Then portscan you maschine to make sure, the ports are deactivated. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: How do I disable (close) ports?
J. Paul Bruns-Bielkowicz ([EMAIL PROTECTED]) wrote: Commenting out things in /etc/services doesn't disable anything. It seems to. The above ports were closed just by commenting them out of /etc/services and then rebooting. How did you verify? No, I just changed /etc/services It's just mapping ports, so $ telnet 127.0.0.1 nntp works, if you have a newsserver installed, but $ telnet 127.0.0.1 119 should still work. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: How do I disable (close) ports?
J. Paul Bruns-Bielkowicz ([EMAIL PROTECTED]) wrote: I have a restricted services file and a default (open) services file. Some services are disabled, i.e. 9/tcp opendiscard 13/tcp opendaytime 109/tcpopenpop-2 987/tcpopenunknown by commenting them out of /etc/services. Commenting out things in /etc/services doesn't disable anything. If you want to disable services, edit /etc/inetd.conf, /etc/hosts.allow, /etc/hosts.deny and the scripts in /etc/init.d/, but maybe that's what you meant. Then portscan you maschine to make sure, the ports are deactivated. - Rolf
Re: Re: How do I disable (close) ports?
basilisk ([EMAIL PROTECTED]) wrote: If you do edit the init.d scripts don't forget to end the processes too. ACK. Also don't just use a port scanner like nmap. have a look at lsof too lsof -Pan -i tcp -i udp It's quite useful. Right, but it doesn't help with hosts.[allow|deny] entries, cause inetd will still listen to that port. It's very useful to identify the process listening, anyhow. - Rolf
Re: Re: How do I disable (close) ports?
J. Paul Bruns-Bielkowicz ([EMAIL PROTECTED]) wrote: Commenting out things in /etc/services doesn't disable anything. It seems to. The above ports were closed just by commenting them out of /etc/services and then rebooting. How did you verify? No, I just changed /etc/services It's just mapping ports, so $ telnet 127.0.0.1 nntp works, if you have a newsserver installed, but $ telnet 127.0.0.1 119 should still work. - Rolf
Re: Mail-server config
Johannes Weiss ([EMAIL PROTECTED]) wrote: Hi @all, I plan to install a mailserver for ca. 800 users, now I planned to make 800 users with shell /bin/bash, home /dev/nul,... So, I ask you ;)), if this is a good solution, to make 800 UNIX-users for a mailserver and if not what's the best solution (security reason) Consider the cyrus-packages. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail-server config
Johannes Weiss ([EMAIL PROTECTED]) wrote: Hi @all, I plan to install a mailserver for ca. 800 users, now I planned to make 800 users with shell /bin/bash, home /dev/nul,... So, I ask you ;)), if this is a good solution, to make 800 UNIX-users for a mailserver and if not what's the best solution (security reason) Consider the cyrus-packages. - Rolf
Re: Mutt tmp files -- Root is not my Enemy
Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. You have to experience that for yourself to believe how easy this could happen. Just be in the wrong place to the wrong time. It happend to me once, just because I lived that time in a flat-sharing community. I didn't see my computers for about a year and then all harddisk had been removed and where broken. Did they replace the damage? - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mutt tmp files -- Root is not my Enemy
Florian Bantner ([EMAIL PROTECTED]) wrote: On Die, 20 Nov 2001, Rolf Kutz wrote: Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. I don't know tmpfs. What I'm currently thinging about is: * Create for every user a directory under his home. a tmp dir? * Use some kind of ram-disk device. tmpfs puts /tmp in virtual memory aka ramdisk. See Virtual memory file system support in the Kernel. Beware that it might be paged out to swap. A swapless system might be a good idea anyway. * Perhaps (just to be sure) encrypt it. Perhaps that's where I need some kind of encrypting filesystem (do I?). I'm not experienced in fs encryption. How do I mount such devices. Which encryption is used? When to enter passphrase? There are several howtos about cryptofs. Did they replace the damage? No. To be honest: After one year I had a new box and everything running. In my old one I found the harddisks disconnected and having read-errors (that time 2 1GB drives). To do something whould include contacting a Laywer and doing much stressful stuff, I didn't want to bother with. You should have done that much earlier anyway. It should be sufficing for them to make a copy of your harddrive (or keep just the hdd if they feel to make a surface-analysis of it) and give it back to you. If they broke it, they should replace it especially if their suspicion turned out to be wrong. If you let them get away, they will do it again and again. If they'll find a crypto-fs on your hdd or encrypted mail, they might never give it back to you unless you provide the keys. IIRC they might even jail you in the UK[1] and US. Grüße, Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mutt tmp files -- Root is not my Enemy
Alexander Clouter ([EMAIL PROTECTED]) wrote: I am the root guy of my own laptop and I can trust myself :) However a lot of countries (uk/us and probably others, lots in the eu I would imagine) have encryption laws, not preventing it but permiting them to throw you in jail unless you hand over your encryption codes. If you don't you get a nice big What, if I someone gets an email encrypted with a bogus key claiming to, but not belonging to the recipient? What if I lost the key? Silly law. fine and 6 months-2 years in jail (in the uk at least). Stegraphy is probably a better option to avoid this 'problem' If they find stenographic software on the box, they will ask you for the mantra, too. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mutt tmp files -- Root is not my Enemy
Florian Bantner ([EMAIL PROTECTED]) wrote: A fact about which I'm concerned even more than about a hack from outside via the internet etc. is real physical access to the box. Something hackers normaly don't pay enough attention is that just somebody steps - let's say 6 o'clock in the morning - into your room, shows you his police card - or what ever govermental id card - and tells you that your computer is now his. Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. You have to experience that for yourself to believe how easy this could happen. Just be in the wrong place to the wrong time. It happend to me once, just because I lived that time in a flat-sharing community. I didn't see my computers for about a year and then all harddisk had been removed and where broken. Did they replace the damage? - Rolf
Re: Mutt tmp files -- Root is not my Enemy
Florian Bantner ([EMAIL PROTECTED]) wrote: On Die, 20 Nov 2001, Rolf Kutz wrote: Use TMPFS. Encrypt your disk or do everything in RAM (maybe set up a diskless system booting from cd. See the bootcd-package). They might still be bugging your hardware. I don't know tmpfs. What I'm currently thinging about is: * Create for every user a directory under his home. a tmp dir? * Use some kind of ram-disk device. tmpfs puts /tmp in virtual memory aka ramdisk. See Virtual memory file system support in the Kernel. Beware that it might be paged out to swap. A swapless system might be a good idea anyway. * Perhaps (just to be sure) encrypt it. Perhaps that's where I need some kind of encrypting filesystem (do I?). I'm not experienced in fs encryption. How do I mount such devices. Which encryption is used? When to enter passphrase? There are several howtos about cryptofs. Did they replace the damage? No. To be honest: After one year I had a new box and everything running. In my old one I found the harddisks disconnected and having read-errors (that time 2 1GB drives). To do something whould include contacting a Laywer and doing much stressful stuff, I didn't want to bother with. You should have done that much earlier anyway. It should be sufficing for them to make a copy of your harddrive (or keep just the hdd if they feel to make a surface-analysis of it) and give it back to you. If they broke it, they should replace it especially if their suspicion turned out to be wrong. If you let them get away, they will do it again and again. If they'll find a crypto-fs on your hdd or encrypted mail, they might never give it back to you unless you provide the keys. IIRC they might even jail you in the UK[1] and US. Grüße, Rolf
Re: Mutt tmp files -- Root is not my Enemy
Alexander Clouter ([EMAIL PROTECTED]) wrote: I am the root guy of my own laptop and I can trust myself :) However a lot of countries (uk/us and probably others, lots in the eu I would imagine) have encryption laws, not preventing it but permiting them to throw you in jail unless you hand over your encryption codes. If you don't you get a nice big What, if I someone gets an email encrypted with a bogus key claiming to, but not belonging to the recipient? What if I lost the key? Silly law. fine and 6 months-2 years in jail (in the uk at least). Stegraphy is probably a better option to avoid this 'problem' If they find stenographic software on the box, they will ask you for the mantra, too. - Rolf
Re: Debconf and noexec on /tmp
Emmanuel Lacour ([EMAIL PROTECTED]) wrote: What's the use of noexec flag??? If you mount partitions of a different OS or machine, whose programs can't or shouldn't be executed. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]