Re: Checking what running program are using old libraries
On 18 Mar 2004 at 10:03, Ronny Adsetts wrote: > Whilst doing security upgrades this morning for openssl, it occurred to me > that lots of software that uses the openssl libraries will not automatically > get restarted and will therefore still be running with old libraries and > therefore be vulnerable. I usually do this by hand for the most obvious > programs, but that can often get overlooked or things get missed. > > I remember someone posting a method for locating programs that are running > with old libraries, but don't recall where and I can't seem to find the > right words whilst invoking google... > > Before I go off and figure it out, does anyway have any scripts or snippets > that they use for locating these programs? Try using command "lsof". Will show you the open files, by which program they are opened and if there status is "deleted" (replaced library). Should help you in this case ... Stefan
Re: Checking what running program are using old libraries
On 18 Mar 2004 at 10:03, Ronny Adsetts wrote: > Whilst doing security upgrades this morning for openssl, it occurred to me > that lots of software that uses the openssl libraries will not automatically > get restarted and will therefore still be running with old libraries and > therefore be vulnerable. I usually do this by hand for the most obvious > programs, but that can often get overlooked or things get missed. > > I remember someone posting a method for locating programs that are running > with old libraries, but don't recall where and I can't seem to find the > right words whilst invoking google... > > Before I go off and figure it out, does anyway have any scripts or snippets > that they use for locating these programs? Try using command "lsof". Will show you the open files, by which program they are opened and if there status is "deleted" (replaced library). Should help you in this case ... Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: I have a big problem
a) First, if you can don't use the infected Linux for cleaning but boot from a rescue-system. b) Maybe try to generate a list of files that are infected. Have a look if only a limited number of files or files from a certain number of packages have been infected. c) Try to re-install those packages by force, overwriting the infected files. d) Scan again and again during reinstallation of packages. Should be pretty straight-forward. Good luck, Stefan On 8 Mar 2004 at 5:38, [EMAIL PROTECTED] wrote: > > > Pls tel me where can i find a Unix/RST.B Antivirus > > > because i have been infected by that virus and i > have > > > big important documents on my box . Pls send me some > > > help .. > > > - > > > [EMAIL PROTECTED] f-prot]# ./f-prot /* -disinf > > > Virus scanning report - 7 March 2004 @ 15:54 > > > > > > F-PROT ANTIVIRUS > > > Program version: 4.4.0 > > > Engine version: 3.14.10 > > > > > > VIRUS SIGNATURE FILES > > > SIGN.DEF created 5 March 2004 > > > SIGN2.DEF created 5 March 2004 > > > MACRO.DEF created 1 March 2004 > > > > > > Search: /bin /bkup /boot /dev /etc /home /initrd > /lib > > > /lost+found /misc /mnt /opt /proc /root /sbin /temp > > > /tftpboot /tmp /usr /var > > > Action: Disinfect/Query > > > Files: "Dumb" scan of all files > > > Switches: -ARCHIVE -PACKED -SERVER > > > > > > /bin/ping Infection: Unix/RST.B > > > Disinfect (Y/N/A/Q) ? > > > y > > > Yes > > > Unable to remove the virus. > > > > > > i have install F-prot on the machine and without any > > > succes .. pls help me whit something...
Re: I have a big problem
a) First, if you can don't use the infected Linux for cleaning but boot from a rescue-system. b) Maybe try to generate a list of files that are infected. Have a look if only a limited number of files or files from a certain number of packages have been infected. c) Try to re-install those packages by force, overwriting the infected files. d) Scan again and again during reinstallation of packages. Should be pretty straight-forward. Good luck, Stefan On 8 Mar 2004 at 5:38, [EMAIL PROTECTED] wrote: > > > Pls tel me where can i find a Unix/RST.B Antivirus > > > because i have been infected by that virus and i > have > > > big important documents on my box . Pls send me some > > > help .. > > > - > > > [EMAIL PROTECTED] f-prot]# ./f-prot /* -disinf > > > Virus scanning report - 7 March 2004 @ 15:54 > > > > > > F-PROT ANTIVIRUS > > > Program version: 4.4.0 > > > Engine version: 3.14.10 > > > > > > VIRUS SIGNATURE FILES > > > SIGN.DEF created 5 March 2004 > > > SIGN2.DEF created 5 March 2004 > > > MACRO.DEF created 1 March 2004 > > > > > > Search: /bin /bkup /boot /dev /etc /home /initrd > /lib > > > /lost+found /misc /mnt /opt /proc /root /sbin /temp > > > /tftpboot /tmp /usr /var > > > Action: Disinfect/Query > > > Files: "Dumb" scan of all files > > > Switches: -ARCHIVE -PACKED -SERVER > > > > > > /bin/ping Infection: Unix/RST.B > > > Disinfect (Y/N/A/Q) ? > > > y > > > Yes > > > Unable to remove the virus. > > > > > > i have install F-prot on the machine and without any > > > succes .. pls help me whit something... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [sec] Re: Strange segmentation faults and Zombies
On 18 Sep 2003 at 15:02, Markus Schabel wrote: > Christian Storch wrote: > > The problem is starting >>before<< > > I think all the things >>before<< phpshell.php are done via > phpshell.php and the things you can see in the .bash_history > are only the things after he already got in. > [...] > > - known unclosed security hole? > > It seems that it was possible to upload & execute .php-files somewhere > (phpshell.php) Maybe a directory-traversal-thing when using a certain form provided on a webpage to upload files? Check your scripts. It's quite easy to open such security holes - be careful with fileuploads. Stefan > > -Original Message- > > From: Markus Schabel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 18, 2003 12:23 PM > > To: debian-security@lists.debian.org > > Subject: Re: [sec] Re: Strange segmentation faults and Zombies > > > > maximilian attems wrote: > > > >>On Thu, 18 Sep 2003, Christian Storch wrote: > >> > >> > >> > >>>Don't forget to try to find the potential hole first! > >>>Otherwise you could have a fast recurrence. > >>>[..] > >>> > >>> > >in /etc/.rpn theres a .bash_history with the following content: > > > > > >>id > >>mkdir /etc/.rpn > >>ps -aux > >>ps -aux | grep tbk > >>kill -15292 pid > >>kill 15292 > >>netconf > >>locate httpd.conf > >>cd /etc/.rpn > >>ls -al > >>wget > >>cd /var/www/cncmap/www/upload/renegade > >>ls -al > >>rm -rf phpshell.php > >> > >> ^__^ > >>was this the exploited hole ? > > > > > > I think so. In fact the problem is that it got there...
Re: [sec] Re: Strange segmentation faults and Zombies
On 18 Sep 2003 at 15:02, Markus Schabel wrote: > Christian Storch wrote: > > The problem is starting >>before<< > > I think all the things >>before<< phpshell.php are done via > phpshell.php and the things you can see in the .bash_history > are only the things after he already got in. > [...] > > - known unclosed security hole? > > It seems that it was possible to upload & execute .php-files somewhere > (phpshell.php) Maybe a directory-traversal-thing when using a certain form provided on a webpage to upload files? Check your scripts. It's quite easy to open such security holes - be careful with fileuploads. Stefan > > -Original Message- > > From: Markus Schabel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 18, 2003 12:23 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [sec] Re: Strange segmentation faults and Zombies > > > > maximilian attems wrote: > > > >>On Thu, 18 Sep 2003, Christian Storch wrote: > >> > >> > >> > >>>Don't forget to try to find the potential hole first! > >>>Otherwise you could have a fast recurrence. > >>>[..] > >>> > >>> > >in /etc/.rpn theres a .bash_history with the following content: > > > > > >>id > >>mkdir /etc/.rpn > >>ps -aux > >>ps -aux | grep tbk > >>kill -15292 pid > >>kill 15292 > >>netconf > >>locate httpd.conf > >>cd /etc/.rpn > >>ls -al > >>wget > >>cd /var/www/cncmap/www/upload/renegade > >>ls -al > >>rm -rf phpshell.php > >> > >> ^__^ > >>was this the exploited hole ? > > > > > > I think so. In fact the problem is that it got there... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MAC address change
On 22 Jun 2003 at 13:54, Adam ENDRODI wrote: > How widely do you think changing the MAC address of a NIC via > ``ifconfig hw'' is supported by the various network cards > and drivers out there nowadays? > > My collegue and me have debated several times whether watching > the LAN for non-matching IP-MAC pairs can reveal any useful > information. I argued that it may not, since the MAC is easily > alterable, but he objected, because it's not. Now I ask you to > decide who is right. Afaik all MII-capable networkcards can change their MAC address. And since most are compatible these days :-) I haven't tried it on a wider range of cards myself but changing MACs should be too much of a problem. All you could do is monitor the MACs / IPs on your network and see if there are any changes which might give you a hint that somebody changed a PC (plugged his laptop into the company-network or so). Afaik there are some packages out that do such monitoring for you. Optionally you could configure MACs in your switch (if you gotta Cisco or the like). Put it in "learn mode" so it learns the macs on all ports and then say "lock ports to these MACs" and you're done. When somebody tries to access the network with a different MAC you can afaik block that port "forever" - even if later he tries to fake the MAC. But you can't really make it secure. If you're thinking about an "untrusted" network (where the MACs might change) you could think of installing a VPN-gateway which authenticates users by tokens stored on the PCs. This way - even if someone fakes the MAC - he won't get through that gate. But thats a special case you have with e.g. wireless connections. Stefan
Re: MAC address change
On 22 Jun 2003 at 13:54, Adam ENDRODI wrote: > How widely do you think changing the MAC address of a NIC via > ``ifconfig hw'' is supported by the various network cards > and drivers out there nowadays? > > My collegue and me have debated several times whether watching > the LAN for non-matching IP-MAC pairs can reveal any useful > information. I argued that it may not, since the MAC is easily > alterable, but he objected, because it's not. Now I ask you to > decide who is right. Afaik all MII-capable networkcards can change their MAC address. And since most are compatible these days :-) I haven't tried it on a wider range of cards myself but changing MACs should be too much of a problem. All you could do is monitor the MACs / IPs on your network and see if there are any changes which might give you a hint that somebody changed a PC (plugged his laptop into the company-network or so). Afaik there are some packages out that do such monitoring for you. Optionally you could configure MACs in your switch (if you gotta Cisco or the like). Put it in "learn mode" so it learns the macs on all ports and then say "lock ports to these MACs" and you're done. When somebody tries to access the network with a different MAC you can afaik block that port "forever" - even if later he tries to fake the MAC. But you can't really make it secure. If you're thinking about an "untrusted" network (where the MACs might change) you could think of installing a VPN-gateway which authenticates users by tokens stored on the PCs. This way - even if someone fakes the MAC - he won't get through that gate. But thats a special case you have with e.g. wireless connections. Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Someone scanned my ssh daemon
On 16 Jun 2003 at 7:00, Halil Demirezen wrote: > > My Debian box: > > Connection closed by foreign host. > > [EMAIL PROTECTED]:~> telnet xx.com 22 > > Trying 203.167.224.... > > Connected to xx.com. > > Escape character is '^]'. > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 > > To be brief, I don't usually come accross that there is an exploit for > only effective to debian boxes. Plus, There are lots of ways to learn > what distribution you are running on your machine. telnet .com 80 > and do some returns and you get the info you are running apache with > php xxx support on debian box. > > This is not only ssh case. Well, but for e.g. php I don't see why this is necessary. Anybody wrote a doc on how to suppress unnecessary version-messages? I'd be really interested in such things ...
Re: Someone scanned my ssh daemon
On 16 Jun 2003 at 7:00, Halil Demirezen wrote: > > My Debian box: > > Connection closed by foreign host. > > [EMAIL PROTECTED]:~> telnet xx.com 22 > > Trying 203.167.224.... > > Connected to xx.com. > > Escape character is '^]'. > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 > > To be brief, I don't usually come accross that there is an exploit for > only effective to debian boxes. Plus, There are lots of ways to learn > what distribution you are running on your machine. telnet .com 80 > and do some returns and you get the info you are running apache with > php xxx support on debian box. > > This is not only ssh case. Well, but for e.g. php I don't see why this is necessary. Anybody wrote a doc on how to suppress unnecessary version-messages? I'd be really interested in such things ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cracked? "rm uses obsolete (PF_INET,SOCK_PACKET)"
On 15 Jun 2003 at 10:36, Noah Meyerhans wrote: > In terms of protecting against breakin, it seems like a lot of people > here have been advocating the grsecurity kernel patch. I have no > experience with it, but the list of features certainly makes it sound > like it will protect against some of the frequently exploited classes > of bugs. Certainly not all of them, though. The best thing you can > do to keep your machine secure is to simply pay attention to what's on > it and to the potential intrusion vectors that exist. If you can > minimize those, you don't even need grsecurity. (Though there's > nothing wrong with a little paranoia, especially now that you've > already experienced a breakin.) Some features like overflow-protection make grsecurity really interesting, I think. Need to look into that one further in a while. Using all of grsecurity's features is surely not necessary. But it's amazing what "switch it on and you're secure"-features you get (e.g. overflow protection, which makes it REALLY interesting for me). Stefan
Re: cracked? "rm uses obsolete (PF_INET,SOCK_PACKET)"
On 15 Jun 2003 at 10:36, Noah Meyerhans wrote: > In terms of protecting against breakin, it seems like a lot of people > here have been advocating the grsecurity kernel patch. I have no > experience with it, but the list of features certainly makes it sound > like it will protect against some of the frequently exploited classes > of bugs. Certainly not all of them, though. The best thing you can > do to keep your machine secure is to simply pay attention to what's on > it and to the potential intrusion vectors that exist. If you can > minimize those, you don't even need grsecurity. (Though there's > nothing wrong with a little paranoia, especially now that you've > already experienced a breakin.) Some features like overflow-protection make grsecurity really interesting, I think. Need to look into that one further in a while. Using all of grsecurity's features is surely not necessary. But it's amazing what "switch it on and you're secure"-features you get (e.g. overflow protection, which makes it REALLY interesting for me). Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: OPENSSL
On 11 Jun 2003 at 6:59, Reckhard, Tobias wrote: > On Tue, Jun 10, Stefan Neufeind wrote: > > I'm using a 128-bit-cert. > > You're using an X.509 certificate. The grade of symmetric encryption > negotiated between browser and web server is (at least in theory) > independent of the certificate. > > > But browsers that support less encryption > > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > > the encryption doesn't allow degration. > > The original NT shipped with IE2. Are you sure you want people to > still use that? Well, some people here still use it. Mainly for reading emails via webmail ... Users with original NT4 or some version of Mac OS are currently having problems accessing the webmail-interface. But I don't want to drop to http-without-SSL for webmail. And I can't install new browser versions on those machines since I don't administrate them. So for now these users can't view there emails from that machines. > > Is there any way to solve > > this prob? Using Apache with an official SSL-cert. > > > > PS: This just came to my mind when you said "step-up" - cause in my > > case it would be a "step-down", right? > > I could imagine that IE2 has numerous problems with SSL. It could well > be one of the browsers that need to see step-up certificates before > they perform 128-bit symmetric cryptography. But I don't know. > > Make sure you've allowed your Apache to use small key sizes first. I > wouldn't use them, but you should be sure that it's not your server > that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to > apply the latest service pack and preferrably install IE6SP1 plus the > Hotfixes that have been released since. Will have a look at that. Funny thing: Users can view the first page (login-page) but afterwards can't login. Maybe it has got something to do with keepalives or anything?!? > And then they should install a better browser and use that instead. > ;-> Read statement above. Would REALLY like to do that if I could.
RE: OPENSSL
On 11 Jun 2003 at 6:59, Reckhard, Tobias wrote: > On Tue, Jun 10, Stefan Neufeind wrote: > > I'm using a 128-bit-cert. > > You're using an X.509 certificate. The grade of symmetric encryption > negotiated between browser and web server is (at least in theory) > independent of the certificate. > > > But browsers that support less encryption > > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > > the encryption doesn't allow degration. > > The original NT shipped with IE2. Are you sure you want people to > still use that? Well, some people here still use it. Mainly for reading emails via webmail ... Users with original NT4 or some version of Mac OS are currently having problems accessing the webmail-interface. But I don't want to drop to http-without-SSL for webmail. And I can't install new browser versions on those machines since I don't administrate them. So for now these users can't view there emails from that machines. > > Is there any way to solve > > this prob? Using Apache with an official SSL-cert. > > > > PS: This just came to my mind when you said "step-up" - cause in my > > case it would be a "step-down", right? > > I could imagine that IE2 has numerous problems with SSL. It could well > be one of the browsers that need to see step-up certificates before > they perform 128-bit symmetric cryptography. But I don't know. > > Make sure you've allowed your Apache to use small key sizes first. I > wouldn't use them, but you should be sure that it's not your server > that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to > apply the latest service pack and preferrably install IE6SP1 plus the > Hotfixes that have been released since. Will have a look at that. Funny thing: Users can view the first page (login-page) but afterwards can't login. Maybe it has got something to do with keepalives or anything?!? > And then they should install a better browser and use that instead. > ;-> Read statement above. Would REALLY like to do that if I could. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OPENSSL
I'm using a 128-bit-cert. But browsers that support less encryption (e.g. IE that comes with WinNT4) can't access my SSL-pages because the encryption doesn't allow degration. Is there any way to solve this prob? Using Apache with an official SSL-cert. PS: This just came to my mind when you said "step-up" - cause in my case it would be a "step-down", right? On 10 Jun 2003 at 21:49, Berin Lautenbach wrote: > Reckhard, Tobias wrote: > > There are web browsers that will negotiate 128 bits only if the > > certificate presented by the web server is a "step-up certificate". > > I'm not sure what makes a certificate a step-up certificate, > > however, nor if this restriction still applies to current browsers. > > The step up involved the browser checking the signer was a legitimate > CA to sign a step-up cert and then performing the re-negotiation. The > restriction disapeared when the crypto export laws were all relaxed. > You have to go a fair way back (few years) to get a browser that still > only supports 128bit symmetric in SGC mode.
Re: Default Apache install not fit for multiple domains/users
Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... On 9 Jun 2003 at 17:59, Jon wrote: > On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: > > > But you mean starting with #! ?? How could I use the normal way of > > > setting a cgi-handler for calling .php-files? Know what I mean? > > > > > > Using Misc Binary-support (and therefor patching the kernel) seems > > > no solution to me. Isn't there some way to make it work using > > > Apache- features? > > > > MISC Binary is not patching the kernel. MISC Binary comes as an > > option with the stock kernel. You might have to compile your own > > kernel (I don't know, I haven't used a stock Debian kernel in a VERY > > long time...) > > > > The binfmt_misc kernel module is included in the stock Debian kernels, > AFAIK. There is a nice package, binfmt-support (ala > update-alternatives) that allows one to easily configure binfmt_misc: > > > Package: binfmt-support > Support for extra binary formats > > The binfmt_misc kernel module, contained in versions 2.1.43 and later > of the Linux kernel, allows system administrators to register > interpreters for various binary formats based on a magic number or > their file extension, and cause the appropriate interpreter to be > invoked whenever a matching file is executed. Think of it as a more > flexible version of the #! executable interpreter mechanism. > > This package provides an 'update-binfmts' script with which package > maintainers can register interpreters to be used with this module > without having to worry about writing their own init.d scripts, and > which sysadmins can use for a slightly higher-level interface to this > module.
Re: OPENSSL
I'm using a 128-bit-cert. But browsers that support less encryption (e.g. IE that comes with WinNT4) can't access my SSL-pages because the encryption doesn't allow degration. Is there any way to solve this prob? Using Apache with an official SSL-cert. PS: This just came to my mind when you said "step-up" - cause in my case it would be a "step-down", right? On 10 Jun 2003 at 21:49, Berin Lautenbach wrote: > Reckhard, Tobias wrote: > > There are web browsers that will negotiate 128 bits only if the > > certificate presented by the web server is a "step-up certificate". > > I'm not sure what makes a certificate a step-up certificate, > > however, nor if this restriction still applies to current browsers. > > The step up involved the browser checking the signer was a legitimate > CA to sign a step-up cert and then performing the re-negotiation. The > restriction disapeared when the crypto export laws were all relaxed. > You have to go a fair way back (few years) to get a browser that still > only supports 128bit symmetric in SGC mode. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
Thank you for the information. Am I right that php-skripts then would need an execute-bit set? Currently they don't have ... On 9 Jun 2003 at 17:59, Jon wrote: > On Mon, 2003-06-09 at 17:28, Phillip Hofmeister wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On Mon, 09 Jun 2003 at 09:35:49PM +0200, Stefan Neufeind wrote: > > > But you mean starting with #! ?? How could I use the normal way of > > > setting a cgi-handler for calling .php-files? Know what I mean? > > > > > > Using Misc Binary-support (and therefor patching the kernel) seems > > > no solution to me. Isn't there some way to make it work using > > > Apache- features? > > > > MISC Binary is not patching the kernel. MISC Binary comes as an > > option with the stock kernel. You might have to compile your own > > kernel (I don't know, I haven't used a stock Debian kernel in a VERY > > long time...) > > > > The binfmt_misc kernel module is included in the stock Debian kernels, > AFAIK. There is a nice package, binfmt-support (ala > update-alternatives) that allows one to easily configure binfmt_misc: > > > Package: binfmt-support > Support for extra binary formats > > The binfmt_misc kernel module, contained in versions 2.1.43 and later > of the Linux kernel, allows system administrators to register > interpreters for various binary formats based on a magic number or > their file extension, and cause the appropriate interpreter to be > invoked whenever a matching file is executed. Think of it as a more > flexible version of the #! executable interpreter mechanism. > > This package provides an 'update-binfmts' script with which package > maintainers can register interpreters to be used with this module > without having to worry about writing their own init.d scripts, and > which sysadmins can use for a slightly higher-level interface to this > module. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? On 9 Jun 2003 at 11:02, Ted Cabeen wrote: > "Stefan Neufeind" <[EMAIL PROTECTED]> writes: > > > But afaik you run into real problems when you try to use suexec with > > php, don't you? Or has anybody managed to get this running > > correctly? (for Apache 1.3.x !!!). > > You do if you use php scripts that are parsed by the server itself. > You can use php cgi scripts with suexec without any problems. > > > On 6 Jun 2003 at 17:06, Wade Richards wrote: > > > >> On 06 Jun 2003 16:15:37 PDT, Jon writes: > >> >I believe Apache would still be executing php/cgi scripts as > >> >www-data, so users could snoop on other users's scripts, session > >> >files, etc. > >> > > >> >Something like: > >> > > >> > >> I suggest you look up the suEXEC Apache module, it seems to do > >> exactly what you want.
Re: Default Apache install not fit for multiple domains/users
But you mean starting with #! ?? How could I use the normal way of setting a cgi-handler for calling .php-files? Know what I mean? Using Misc Binary-support (and therefor patching the kernel) seems no solution to me. Isn't there some way to make it work using Apache- features? On 9 Jun 2003 at 11:02, Ted Cabeen wrote: > "Stefan Neufeind" <[EMAIL PROTECTED]> writes: > > > But afaik you run into real problems when you try to use suexec with > > php, don't you? Or has anybody managed to get this running > > correctly? (for Apache 1.3.x !!!). > > You do if you use php scripts that are parsed by the server itself. > You can use php cgi scripts with suexec without any problems. > > > On 6 Jun 2003 at 17:06, Wade Richards wrote: > > > >> On 06 Jun 2003 16:15:37 PDT, Jon writes: > >> >I believe Apache would still be executing php/cgi scripts as > >> >www-data, so users could snoop on other users's scripts, session > >> >files, etc. > >> > > >> >Something like: > >> > > >> > >> I suggest you look up the suEXEC Apache module, it seems to do > >> exactly what you want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Default Apache install not fit for multiple domains/users
But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). On 6 Jun 2003 at 17:06, Wade Richards wrote: > On 06 Jun 2003 16:15:37 PDT, Jon writes: > >I believe Apache would still be executing php/cgi scripts as > >www-data, so users could snoop on other users's scripts, session > >files, etc. > > > >Something like: > > > > I suggest you look up the suEXEC Apache module, it seems to do exactly > what you want.
Re: Default Apache install not fit for multiple domains/users
But afaik you run into real problems when you try to use suexec with php, don't you? Or has anybody managed to get this running correctly? (for Apache 1.3.x !!!). On 6 Jun 2003 at 17:06, Wade Richards wrote: > On 06 Jun 2003 16:15:37 PDT, Jon writes: > >I believe Apache would still be executing php/cgi scripts as > >www-data, so users could snoop on other users's scripts, session > >files, etc. > > > >Something like: > > > > I suggest you look up the suEXEC Apache module, it seems to do exactly > what you want. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PHP4-package for using FTP-SSL?
Hi, is there a package available (similar to the ftp-package which can be found in the pear-lib) to use ftp with ssl? I'm not looking for SFTP (SSH-filetransfer) but SSL with "AUTH SSL" at the beginning of the session. All the best Stefan
Re: Presentation
Seems like again somebody is willing to pay the "donation" to debian? List-admin ... go ahead :-)
Re: Secure remote syslogging?
But what if you can't deploy a separate network just for syslog? Encrypt it somehow? Or just use ip-based-security? I guess that's the worse idea if you might be on a switch with several other machines, right? And do I really need a real syslog on the other machine? Or is there any daemon so I can receive syslog-entries like machine1: ... machine2: ... machine2: ... In separate files for the machines on the central server? I guess this would best suit my needs. But again: It needs to be secure - even over a "public switch" :-((( On 23 Apr 2003 at 16:37, Kenneth R. van Wyk wrote: > On Wednesday 23 April 2003 13:43, Stefan Neufeind wrote: > > what is the best way to remotely syslog? > > If the business situation warrants the expense, then I advise my > clients to run an admin network on critical servers, with one hardened > syslog server to receive event logs from the servers. Keep admin > (including) and production data separate, and only run syslogd (and > possibly sshd) on the syslog server. It's also a good idea to keep > the log data on a RAID-5 array for reliability, but that's another > issue. > > Short of write-once media, 1-way wiring, etc., this is a pretty darned > secure way of deploying a syslog server, IMHO. > > Cheers, > > Ken van Wyk > - > author, "Incident Response" and "Secure Coding", O'Reilly & Assoc. > www.incidentresponse.com, www.securecoding.org >
Secure remote syslogging?
Hi, what is the best way to remotely syslog? In "RE: HELP, my Debian Server was hacked!" by James Duncan he wrote to use "syslog to log locally AND remotely". This is a good idea. But I wonder how to make it safe. Let's say I have two servers. Each could keep a second, separate log as "backup-log" of the server. But how do I make it secure that there can't exist any log-entries somebody "faked" into our remote-syslog-file? Greetingz Stefan
Re: VPN: SSH or IPSec???
On 16 Apr 2003 at 17:05, Jeff wrote: > Felipe MartÃnez Hermo, 2003-Apr-16 18:23 +0100: > > > > So far, I also prefer IPSec because it seems to be the most > > standard-compliant implementation, but I want to know my options. I > > have just bought Kolesnikov's book, but I have not started with it > > yet.One last thing: shold I set up a router (and so start with > > Adv-router-HOWTO) or should I go directly to FreeSwan Documentation? > > > > I am a little puzzled and I don't know what to start with. > > > > Thanks for your help > > Be careful in assuming that IPSec is "standard-compliant". It's more > of a reference model for implimentors to use. Interoperability > between different implimenations is sketchy and usaully only works in > a very basic configuration, such as Main Mode (as opposed to Agressive > Mode) and with Pre-shared keys (as opposed to certificates). > > Since you have Windows PC's on the road, be sure that there are > available clients that interoperate with FreeSwan. You can even have it interop with the nativ Win2k/XP-implementations. I've set up an ipsec-vpn with an l2tp-tunnel, which is (besides the worse pptp-thing) the default for Win2k/XP. And you can even freely download tools for free from Microsoft to get it working from Win95 onward. Okay, don't know why the Microsoft-people added the l2tp- thing (FreeS/Wan can do complex tunnels even without this "workaround") but it works perfect.
RE: Debian Kernel's and FreeSwan
On 5 Apr 2003 at 9:04, Steve Jr Ramage wrote: > Well continuing the problem, I have moved from the original one, > appended at the bottom. Now something else is wrong, basically the > following out put. I had to use 'export PATCH_THE_KERNEL=YES' (thanks > Kenneth). Now the kernel compile asks me a bunch of IPSEC questions > and then later it does this. I have done a make-kpkg clean, and a make > dep, on both systems. There doesn't seem to be anything wrong. I did > download the freestwan package. Is there anything else I need? Hi - as far as I remember there were rumours on the FreeS/Wan-list that the newer kernels include their own ipsec-implementation. Maybe that leads to your problems? Is there any package ipsec from the kernel already selected? Just an idea ...
RE: Debian Kernel's and FreeSwan
On 5 Apr 2003 at 9:04, Steve Jr Ramage wrote: > Well continuing the problem, I have moved from the original one, > appended at the bottom. Now something else is wrong, basically the > following out put. I had to use 'export PATCH_THE_KERNEL=YES' (thanks > Kenneth). Now the kernel compile asks me a bunch of IPSEC questions > and then later it does this. I have done a make-kpkg clean, and a make > dep, on both systems. There doesn't seem to be anything wrong. I did > download the freestwan package. Is there anything else I need? Hi - as far as I remember there were rumours on the FreeS/Wan-list that the newer kernels include their own ipsec-implementation. Maybe that leads to your problems? Is there any package ipsec from the kernel already selected? Just an idea ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Logcheck, Logsentry, LogRider etc.
Hi, I read on this list that several people are using logcheck, right? Is this still up2date? Somewhere on the net I found that it was followed by logsentry from Psionic - but this company doesn't seem to exist anymore. Afaik logsentry at last was also free. And does anybody know something about LogRider (http://freshmeat.net/projects/logrider/?topic_id=253)? So generally: I'm looking for a good log-monitoring-tool - not only for Debian- systems (at least I'm honest) so I need to be able to also compile and package it again myself for different systems. Could you give me any advice, explain why Psionic was taken over by cisco etc.? And where can I find current homepages for logcheck, logsentry etc.? Thank you Stefan
Logcheck, Logsentry, LogRider etc.
Hi, I read on this list that several people are using logcheck, right? Is this still up2date? Somewhere on the net I found that it was followed by logsentry from Psionic - but this company doesn't seem to exist anymore. Afaik logsentry at last was also free. And does anybody know something about LogRider (http://freshmeat.net/projects/logrider/?topic_id=253)? So generally: I'm looking for a good log-monitoring-tool - not only for Debian- systems (at least I'm honest) so I need to be able to also compile and package it again myself for different systems. Could you give me any advice, explain why Psionic was taken over by cisco etc.? And where can I find current homepages for logcheck, logsentry etc.? Thank you Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :)
Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Traffic monitoring
While we're still in the field of counting and monitoring traffic: Is there any good way to account traffic on one computer by user? I searched several times for this but didn't find any good solution. Some people said it should be do-able with kernel-modules but nobody knew who had already done it. I have several users generating traffic over the network interface (eth0). What I would need is monitor incoming and outgoing traffic accounted by the uid the process is running to or from which the packets are received / sent. Hmm - did I at least make it a bit clear? Even if I have somebody running an "ftp" for getting or putting files ... or if I have someone using wget on the shell or getting remote-files via PHP or whatever I need to account this traffic to the uid - all on the local machine. And if I have someone opening a listening-port (this also appears with ftp-transfers) and waits for an incoming connection I would also like to bill the incoming connection to the same uid. That's my problem. Any good solutions out there? I'm stuck with this :-((
Re: Traffic monitoring
You might want to try out the packat "iptraf" and monitor the interface ipsec0. It gives you various overwiews on traffic going over each port in / out as well as other statistics. Only drawback: It only counts as long as you leave it running on console. But I guess leaving it running for e.g. 12 hours (one work-day) should be sufficient to get an idea what's going on, right? And you could also try to sniff the SMB-traffic ... there are probably ways to "listen" which files (with what filenames etc.) are transfered. I strongly believe there are tools doing this out there. Ethereal maybe? (Haven't worked with it yet.) On 14 Mar 2003 at 20:03, Nils wrote: > I have small but complicated problem. > > How do you monitor what network traffic you have and how much? I want > to be able to see the origin and destination, type and volume. > > We have two computer labs, with its respective ISP-connections, both > with volume based rates. These two sites are also connected to each > other through a VPN. The volume between the two sites should really be > marginal. Due to what we get charge by the ISP, we suspect a lot of > non-sanctioned material (mp3..) being transported over smb. I would > like to at least be able to monitor the volume from respective > computer going through the firewall (and the VPN). > > Preferably, I would like to have information like: > > Date xx/xx/xx > Workstation A (xxx.xxx.xxx.xxx) (95 MB) >SMB.35 MB >HTTP40 MB >RSYNC...10 MB >FTP..5 MB >SSH...
Re: Traffic monitoring
While we're still in the field of counting and monitoring traffic: Is there any good way to account traffic on one computer by user? I searched several times for this but didn't find any good solution. Some people said it should be do-able with kernel-modules but nobody knew who had already done it. I have several users generating traffic over the network interface (eth0). What I would need is monitor incoming and outgoing traffic accounted by the uid the process is running to or from which the packets are received / sent. Hmm - did I at least make it a bit clear? Even if I have somebody running an "ftp" for getting or putting files ... or if I have someone using wget on the shell or getting remote-files via PHP or whatever I need to account this traffic to the uid - all on the local machine. And if I have someone opening a listening-port (this also appears with ftp-transfers) and waits for an incoming connection I would also like to bill the incoming connection to the same uid. That's my problem. Any good solutions out there? I'm stuck with this :-(( -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Traffic monitoring
You might want to try out the packat "iptraf" and monitor the interface ipsec0. It gives you various overwiews on traffic going over each port in / out as well as other statistics. Only drawback: It only counts as long as you leave it running on console. But I guess leaving it running for e.g. 12 hours (one work-day) should be sufficient to get an idea what's going on, right? And you could also try to sniff the SMB-traffic ... there are probably ways to "listen" which files (with what filenames etc.) are transfered. I strongly believe there are tools doing this out there. Ethereal maybe? (Haven't worked with it yet.) On 14 Mar 2003 at 20:03, Nils wrote: > I have small but complicated problem. > > How do you monitor what network traffic you have and how much? I want > to be able to see the origin and destination, type and volume. > > We have two computer labs, with its respective ISP-connections, both > with volume based rates. These two sites are also connected to each > other through a VPN. The volume between the two sites should really be > marginal. Due to what we get charge by the ISP, we suspect a lot of > non-sanctioned material (mp3..) being transported over smb. I would > like to at least be able to monitor the volume from respective > computer going through the firewall (and the VPN). > > Preferably, I would like to have information like: > > Date xx/xx/xx > Workstation A (xxx.xxx.xxx.xxx) (95 MB) >SMB.35 MB >HTTP40 MB >RSYNC...10 MB >FTP..5 MB >SSH... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Protection against http tunneling (was: HTTP tunnel with linux server and windows client)
I've worked for a firm where they limited http-connections to let's say 2MB per connection. So for stealing a lot of data you always had to open several connections. This was some kind of "protection" against tunnels and heavy downloads. Maybe this interruption would be of some use to prevent incidents like this. On 13 Mar 2003 at 16:33, Vassilii Khachaturov wrote: > > The question is... is there any way to protect against this? I mean, > > how would you differenciate on for example, a squid, the traffic of > > one of this tunnels from the real traffic you want to allow? > > There is a way to protect any particular form of tunnelling (i.e., if > you know that a particular tunnel is there, you'll find a way to > disrupt it). > > But there is no practical way to prevent covert communications of an > inside user to the outside world, if any reasonable connectivity, > through whatever firewall or whatever, exists. You can minimize the > risk by monitoring everyone's activity 24hours, but even then you > don't have 100% guarantee. > > And if you close the network, the person can smuggle diskettes in and > out, creating a high-latency link. Or use the state of his office > lighting (on or off) at every 17th minutes to signify whether the next > bit of the message is 0 or 1. Not too good to transmit a picture, but > enough to eventually relay a secret encryption key to someone out > there watching. You've got the idea...
Re: Protection against http tunneling (was: HTTP tunnel with linux server and windows client)
I've worked for a firm where they limited http-connections to let's say 2MB per connection. So for stealing a lot of data you always had to open several connections. This was some kind of "protection" against tunnels and heavy downloads. Maybe this interruption would be of some use to prevent incidents like this. On 13 Mar 2003 at 16:33, Vassilii Khachaturov wrote: > > The question is... is there any way to protect against this? I mean, > > how would you differenciate on for example, a squid, the traffic of > > one of this tunnels from the real traffic you want to allow? > > There is a way to protect any particular form of tunnelling (i.e., if > you know that a particular tunnel is there, you'll find a way to > disrupt it). > > But there is no practical way to prevent covert communications of an > inside user to the outside world, if any reasonable connectivity, > through whatever firewall or whatever, exists. You can minimize the > risk by monitoring everyone's activity 24hours, but even then you > don't have 100% guarantee. > > And if you close the network, the person can smuggle diskettes in and > out, creating a high-latency link. Or use the state of his office > lighting (on or off) at every 17th minutes to signify whether the next > bit of the message is 0 or 1. Not too good to transmit a picture, but > enough to eventually relay a secret encryption key to someone out > there watching. You've got the idea... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Permissions on /root/
On 8 Mar 2003 at 17:40, Christian Jaeger wrote: > At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote: > - You should also be aware that a 0700 directory does not protect you > if you are moving another directory from outside to inside, since > users who have already chdir'd into it remain inside it. (Example: >root:anybody: > chmod 0700 /root > # root feels safe > mkdir /blah > chdir /blah > mv /blah /root > # root thinks "ok now blah is safe" > cd /root/blah > cat > info > (enter sensitive info, Ctl-D) > cat info > (looks at info) why is he allowed to use "mv /blah /root"? /root is write-protected so why could he move blah inside of it?
Re: Permissions on /root/
On 8 Mar 2003 at 17:40, Christian Jaeger wrote: > At 13:02 Uhr +0200 08.03.2003, Birzan George Cristian wrote: > - You should also be aware that a 0700 directory does not protect you > if you are moving another directory from outside to inside, since > users who have already chdir'd into it remain inside it. (Example: >root:anybody: > chmod 0700 /root > # root feels safe > mkdir /blah > chdir /blah > mv /blah /root > # root thinks "ok now blah is safe" > cd /root/blah > cat > info > (enter sensitive info, Ctl-D) > cat info > (looks at info) why is he allowed to use "mv /blah /root"? /root is write-protected so why could he move blah inside of it? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Informer
Burn him ... make him pay the donation. That's the least thing justified. To the listmod: I would rate this a good idea, to donate USD 1000. On 24 Feb 2003 at 9:05, Jean-Francois Dive wrote: > I'm glad to see this is not a standard form of spamming as your > answered comments on the list. However, this list is not the proper > place to post commercial advertisement about security product not > supported under linux and particulary Debian GNU Linux. > > Thanks, > > JeF > > > On Mon, 2003-02-24 at 02:49, Matt Foster wrote: > > Hi, > > > > This message is to let you know about a new firewall testing > > application released from Blade Software, Firewall Informer. > > > > Firewall Informer provides the ability to statefully test a firewall > > rule set to guarantee with 100% accuracy the traffic protocols and > > connectivity allowed and blocked by the firewall. > > > > Further information and evaluation software is available from the > > Blade web site, www.blade-software.com > > > > Regards > > Matt > > > > _ > > Matt Foster > > Sales Director > > Blade-Software Inc. > > www.blade-software.com > > Security Verification Management Solutions > > __ > > Blade Software Nominated In The 8th ANNUAL SC AWARDS > > Click on this link, http://www.scmagazine.com/awards to vote > > > > *** > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED]
Re: Firewall Informer
Burn him ... make him pay the donation. That's the least thing justified. To the listmod: I would rate this a good idea, to donate USD 1000. On 24 Feb 2003 at 9:05, Jean-Francois Dive wrote: > I'm glad to see this is not a standard form of spamming as your > answered comments on the list. However, this list is not the proper > place to post commercial advertisement about security product not > supported under linux and particulary Debian GNU Linux. > > Thanks, > > JeF > > > On Mon, 2003-02-24 at 02:49, Matt Foster wrote: > > Hi, > > > > This message is to let you know about a new firewall testing > > application released from Blade Software, Firewall Informer. > > > > Firewall Informer provides the ability to statefully test a firewall > > rule set to guarantee with 100% accuracy the traffic protocols and > > connectivity allowed and blocked by the firewall. > > > > Further information and evaluation software is available from the > > Blade web site, www.blade-software.com > > > > Regards > > Matt > > > > _ > > Matt Foster > > Sales Director > > Blade-Software Inc. > > www.blade-software.com > > Security Verification Management Solutions > > __ > > Blade Software Nominated In The 8th ANNUAL SC AWARDS > > Click on this link, http://www.scmagazine.com/awards to vote > > > > *** > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Telnet forwarding ??
On 20 Feb 2003 at 9:59, Alan James wrote: > On Thu, 20 Feb 2003 05:35:01 +, Dale Amon <[EMAIL PROTECTED]> wrote: > > >> or maybe a FreeS/WAN implementation for cygwin (is there a native > >> win implementation?) ... but thats a different problem ... > > > >I doubt it. FreeSWAN uses Linux kernel patches and > >kernel crypto. > > You'd be suprised: > http://vpn.ebootis.de/ Hmm - isn't this more a sort of configuration util? The IPsec-stack is already in Windows. But to use the extended features of FreeS/Wan you have to use a real client like e.g. SSH Sentiel which is free for private use.
Re: Telnet forwarding ??
On 20 Feb 2003 at 9:59, Alan James wrote: > On Thu, 20 Feb 2003 05:35:01 +, Dale Amon <[EMAIL PROTECTED]> wrote: > > >> or maybe a FreeS/WAN implementation for cygwin (is there a native > >> win implementation?) ... but thats a different problem ... > > > >I doubt it. FreeSWAN uses Linux kernel patches and > >kernel crypto. > > You'd be suprised: > http://vpn.ebootis.de/ Hmm - isn't this more a sort of configuration util? The IPsec-stack is already in Windows. But to use the extended features of FreeS/Wan you have to use a real client like e.g. SSH Sentiel which is free for private use. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: VPN e Win32 client info
On 12 Feb 2003 at 13:17, Benjamin wrote: > is L2TP also possible with dynamic ips? Yes it is. Basically you would use an IPsec-encrypted connection with X509-certs. Have a look at the "FreeS/Wan-patch-homepage" and try out the patched FreeS/Wan or maybe already SuperFreeS/Wan with the X509- patches included. This way you can use dynamic IPs for the clients, yes. SuperFreeS/Wan also provides NAT-traversal. For L2TP I suggest you use rp-l2tp which worked perfect for me. This is used to establish a tunnel with "virtual IPs" (lets say 10.0.0.x) in the "virutal" network. So IPsec is for the encryption, L2TP for the tunnel.
Re: VPN e Win32 client info
On 12 Feb 2003 at 11:52, Tadeusz Knapik wrote: > 12.02.03 pisze Massimo Villa ([EMAIL PROTECTED]): > > > There's anybody who knows a ggod howto to install e simple ma secure > > VPN between two little lan? Is it possible for a single user > > (example, a home user with W2K), to use a win32 client (as Cisco > > client) for linking to a remote lan managed by a linux VPN? > Yes, you can use Linux pptpd with some kernel and ppp patches. > Patches can be found at http://public.planetmirror.com/pub/mppe/. You can also use L2TP on the Windows-machines. I recently found out there are patent-limitations for which I personally dislike the PPTP- solution. Also I heard its less secure than L2TP with X509-certs. If anybody is interested I could digg out those weblinks for the patent- thing. Yours Stefan
Re: Re[2]: VPN e Win32 client info
On 12 Feb 2003 at 13:17, Benjamin wrote: > is L2TP also possible with dynamic ips? Yes it is. Basically you would use an IPsec-encrypted connection with X509-certs. Have a look at the "FreeS/Wan-patch-homepage" and try out the patched FreeS/Wan or maybe already SuperFreeS/Wan with the X509- patches included. This way you can use dynamic IPs for the clients, yes. SuperFreeS/Wan also provides NAT-traversal. For L2TP I suggest you use rp-l2tp which worked perfect for me. This is used to establish a tunnel with "virtual IPs" (lets say 10.0.0.x) in the "virutal" network. So IPsec is for the encryption, L2TP for the tunnel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: VPN e Win32 client info
Maybe you might have a look at FreeS/Wan for the server-side. FreeS/Wan itself can be used to connect LANs directly via IPsec. There are also various ways to connect Windows-clients to such an IPsec-network. If you're interested, maybe have a look at the FreeS/Wan-mailinglist at: lists.freeswan.org Yours sincerely Stefan On 12 Feb 2003 at 11:21, Massimo Villa wrote: > There's anybody who knows a ggod howto to installe simple ma secure > VPN between two little lan? Is it possible for a single user (example, > a home user with W2K), to use a win32 client (as Cisco client) for > linking to a remote lan managed by a linux VPN?
Re: VPN e Win32 client info
On 12 Feb 2003 at 11:52, Tadeusz Knapik wrote: > 12.02.03 pisze Massimo Villa ([EMAIL PROTECTED]): > > > There's anybody who knows a ggod howto to install e simple ma secure > > VPN between two little lan? Is it possible for a single user > > (example, a home user with W2K), to use a win32 client (as Cisco > > client) for linking to a remote lan managed by a linux VPN? > Yes, you can use Linux pptpd with some kernel and ppp patches. > Patches can be found at http://public.planetmirror.com/pub/mppe/. You can also use L2TP on the Windows-machines. I recently found out there are patent-limitations for which I personally dislike the PPTP- solution. Also I heard its less secure than L2TP with X509-certs. If anybody is interested I could digg out those weblinks for the patent- thing. Yours Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: VPN e Win32 client info
Maybe you might have a look at FreeS/Wan for the server-side. FreeS/Wan itself can be used to connect LANs directly via IPsec. There are also various ways to connect Windows-clients to such an IPsec-network. If you're interested, maybe have a look at the FreeS/Wan-mailinglist at: lists.freeswan.org Yours sincerely Stefan On 12 Feb 2003 at 11:21, Massimo Villa wrote: > There's anybody who knows a ggod howto to installe simple ma secure > VPN between two little lan? Is it possible for a single user (example, > a home user with W2K), to use a win32 client (as Cisco client) for > linking to a remote lan managed by a linux VPN? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
