Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote:
> Now, I find it unlikely to see the same local root exploit in 2.4.18 and
> 2.6.7.
They are both old kernels, compile your own and apply suitable patches.
Grsecurity is one, and it doesn't need any particular configuration.
> Are pwgen-passwords with 8 chars, containing upper/lower case and numbers
> really that insecure?
Good initial passwords doesn't really protect anything if the user are
able to change the password into a really crappy one. Consider using
libpam-passwdqc.
> What should I do to prevent such things in the future?
. Remove anything you dont need
. Use iptables to block everything, and allow only what's needed
. Better passwords
. Set Allow{Users,Group} for ssh
. Use current kernels, don't use 2.6 unless you have to. Even if it's
considered stable new versions keep popping up with big patches
. Have strict mount options;
/home mounted with nosuid,nodev,noexec works well (unless your users are
developers)
. Go read the Securing Debian Manual
(http://www.debian.org/doc/manuals/securing-debian-howto/)
/Thomas
--
signature.asc
Description: Digital signature
Re: How to force users to set complex enough passwords?
On Tue, Apr 05, 2005 at 07:21:28PM +0800, xiang sen wrote: > thanks! passwdqc /Thomas -- signature.asc Description: Digital signature
Re: Grsecurity patches on Debian
On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: > You should start with grsec low and proc restricions set customly. > Hardening your kernel is always a option. Running grsec isn't a problem, I use on both clients and servers. Dont start with grsec low but with the custom option, CONFIG_GRKERNSEC_CUSTOM and read the help sections. > The grsec default high settings, IIRC it defaults to custom. > and PaX break Jetty (java server container) in two, so it simply won't > start, gradm won't help as I know. changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if something breaks chpax -peMRXs usually works, after that its about fine tuning. /Thomas -- signature.asc Description: Digital signature
Re: Strange problem with mail...
On Thu, Aug 26, 2004 at 09:44:51PM +0200, Jan Luehr wrote: > Greetings, > Am Donnerstag, 26. August 2004 19:32 schrieb UnKnown: > > Hi ppl, first I wont to state that this is my first mail to this list, if > > by any chance this is not the right list to do so plz point me to the > > correct one. > > Last sunday the mail server start kicking process, actually it did such a > > mess, that it trow all daemons down. When I check the console this message > > was the only thing left: > > __alloc_pages: '-order allocation failed (gfp=0x) > > Ok. This looks like an exploit. > Wich Kernel do you use? > 2.4.26 is certainly not Woody-standard. > Are you able to find any binary causing these kind of messages? Sure it isnt the memory or filesystem? Some info: http://www.ussg.iu.edu/hypermail/linux/kernel/0404.2/1680.html http://mirror.hamakor.org.il/archives/linux-il/01-2004/8144.html http://lists.suse.com/archive/suse-linux-e/2003-Jul/1178.html /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: NTP servers
On Thu, Aug 12, 2004 at 10:40:14AM -0700, Adam Morley wrote: > Hi, > > I'm interested in setting up an NTP server on a debian machine with security in > mind, but from my lookings at the official NTP server (www.ntp.org), the daemon > which serves time also updates the local clock, and hence has to have permission to > do so. [...] http://www.openntpd.org/ /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
binutils w PaX Vs binutils w SSP
PaX support in binutils and SSP compiled packages are two very nice things to have. The problem at this moment is that you cant have both at the same time at this moment. Using for example Steve Kemp's GCC w SSP[1], binutils comes compiled with SSP. If you then installs Petersen's binutils with PaX patch[2] Kemp's version of binutils gets uninstalled. This isn't odd, but it's pretty annoying because, imo, both PaX and SSP should be pretty much standard. Setting up a third repository seemd kind of ridiculous only to provide these packages with both SSP and PaX, so is there any plans to coordinate this kind of things and set up a centralized repository for patches like SSP and PaX? [1]http://people.debian.org/~skx/propolice.html [2]http://lists.debian.org/debian-security/2004/07/msg00096.html /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Major TCP Vulnerability
On Tue, Apr 20, 2004 at 02:29:34PM -0400, Eric Dantan Rzewnicki wrote: > Has anyone heard about this? this article has no details ... appologies > for the post's data-mining ... I'm still looking for other references. > > http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html Since the article is for subscribers only, this is a "wild" guess: http://www.uniras.gov.uk/vuls/2004/236929/index.htm /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Major TCP Vulnerability
On Tue, Apr 20, 2004 at 02:29:34PM -0400, Eric Dantan Rzewnicki wrote: > Has anyone heard about this? this article has no details ... appologies > for the post's data-mining ... I'm still looking for other references. > > http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html Since the article is for subscribers only, this is a "wild" guess: http://www.uniras.gov.uk/vuls/2004/236929/index.htm /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Fwd: Re: [ox-en] Walther
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote: > so the use of debian products for rascist work is ok for debian its a distribution of an operating system, how do you intend to stop from using it? > by using debian he associates debians products with rascism dont want to be rude, but have you guys heard of freedom of speech and freedom of choice? as long theres no racist/whatever propaganda inside debian, whats the problem? /Thomas - -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQDzRBdXAsD67qPj1AQJjwggAoeI+bIRcbrtYJFJL1iTuMm40a880TJqs wYAfPpUudy5UxwfLxUjpI4oDYB6QeXJG4ewWSNn5YyKYQ9w/AQ9uSxk7WyehFL3c Gp5U4IjeMzMyDFrXVzR8pMBahiZcVSvBayGisg+wES/2U/YpHohSfVs8i+i0GtXb FfOXJ/QQLgiOgecIEo4iEd/WRy135/o5jBGZVOdnR6F8RSnh2wSmOrdES9v2LE5+ qWOiNgoGC4GPFx6Iu2fULYw0FafS+iNCTwnaAJRkzg7lxnZdiS6uMn3pJqYp6GuV ylWlwbfNQvq/ZUuqo66NXT3thVsrlkPhukxxiqDP8rlzjsiSxi+cig== =edGr -END PGP SIGNATURE-
Re: Fwd: Re: [ox-en] Walther
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote: > so the use of debian products for rascist work is ok for debian its a distribution of an operating system, how do you intend to stop from using it? > by using debian he associates debians products with rascism dont want to be rude, but have you guys heard of freedom of speech and freedom of choice? as long theres no racist/whatever propaganda inside debian, whats the problem? /Thomas - -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQDzRBdXAsD67qPj1AQJjwggAoeI+bIRcbrtYJFJL1iTuMm40a880TJqs wYAfPpUudy5UxwfLxUjpI4oDYB6QeXJG4ewWSNn5YyKYQ9w/AQ9uSxk7WyehFL3c Gp5U4IjeMzMyDFrXVzR8pMBahiZcVSvBayGisg+wES/2U/YpHohSfVs8i+i0GtXb FfOXJ/QQLgiOgecIEo4iEd/WRy135/o5jBGZVOdnR6F8RSnh2wSmOrdES9v2LE5+ qWOiNgoGC4GPFx6Iu2fULYw0FafS+iNCTwnaAJRkzg7lxnZdiS6uMn3pJqYp6GuV ylWlwbfNQvq/ZUuqo66NXT3thVsrlkPhukxxiqDP8rlzjsiSxi+cig== =edGr -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Call for testers (putting SSP in Debian)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Sorry for the cross-posting] Hi, with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch. It is not however applied by default. I submitted a bug report [1] about this, but the problem is that my experience with GCC w. SSP in only on the x86 arch. So if you got any experience with it on different archs please read the bug reports (see the urls below) and send your info so that the Debian GCC-maintainers has enough info to make a good decision about applying the patch. Note that #233208 had been merged with #213994. [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213994 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=233208 /Thomas - -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQDk/c9XAsD67qPj1AQLS5QgAkhpVjevSMJxwLuK+QI7cOqRObSXc5EAO r/ekTPENZjuRFZ9HILNtTTvhlGYKjHGN2H7WalyUrIM+QEvQRg+pxmbh/idpXluW 82HgkO+2mKytr8FBS7ga84kWSc+H7aWeiE6Vb9CmVvKYJnisdOySHiIjZ4Yntzjd 3O7XYD+76dx+gHEuvsTtWEIwRS8ysSj2MpJzKYXehv189WgHA+VC54e0goahLOip 05cFMw0I7wVWLnKFlt2DwyYmI/1G4jNN3vaZaPopeq7+jRo4NHhQOTY6ApFmf1Qm Bc/ha2T8X9EH2Jam87iFNR18Dy8dOsO7/9VoZy2KHTYpfdWIhUZdew== =AQjy -END PGP SIGNATURE-
Call for testers (putting SSP in Debian)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Sorry for the cross-posting] Hi, with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch. It is not however applied by default. I submitted a bug report [1] about this, but the problem is that my experience with GCC w. SSP in only on the x86 arch. So if you got any experience with it on different archs please read the bug reports (see the urls below) and send your info so that the Debian GCC-maintainers has enough info to make a good decision about applying the patch. Note that #233208 had been merged with #213994. [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213994 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=233208 /Thomas - -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQDk/c9XAsD67qPj1AQLS5QgAkhpVjevSMJxwLuK+QI7cOqRObSXc5EAO r/ekTPENZjuRFZ9HILNtTTvhlGYKjHGN2H7WalyUrIM+QEvQRg+pxmbh/idpXluW 82HgkO+2mKytr8FBS7ga84kWSc+H7aWeiE6Vb9CmVvKYJnisdOySHiIjZ4Yntzjd 3O7XYD+76dx+gHEuvsTtWEIwRS8ysSj2MpJzKYXehv189WgHA+VC54e0goahLOip 05cFMw0I7wVWLnKFlt2DwyYmI/1G4jNN3vaZaPopeq7+jRo4NHhQOTY6ApFmf1Qm Bc/ha2T8X9EH2Jam87iFNR18Dy8dOsO7/9VoZy2KHTYpfdWIhUZdew== =AQjy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.6.1 CryptoAPI woes
On Tue, Jan 20, 2004 at 08:47:40AM -0800, Johannes Graumann wrote: > Now: how do I make sure this is AES-256 and not some other permutation > of the cypher? You use the losetup -k (or --keybits) option. Eg. losetup -e aes -k 256 ... /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: 2.6.1 CryptoAPI woes
On Tue, Jan 20, 2004 at 08:47:40AM -0800, Johannes Graumann wrote: > Now: how do I make sure this is AES-256 and not some other permutation > of the cypher? You use the losetup -k (or --keybits) option. Eg. losetup -e aes -k 256 ... /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: (php?) bug exploit report
On Tue, Jan 20, 2004 at 10:00:04AM +0100, Oliver Hitz wrote: > I think you should be able to avoid such exploits by using PHP's safe > mode. It allow you, among other things, to specify that only files in > a particular directory may be executed. This way, even if someone > succeeds uploading an exploit onto your server, he won't be able to run > it. Recommend that you also take a look at mod_security (http://www.modsecurity.org/) for apache. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: (php?) bug exploit report
On Tue, Jan 20, 2004 at 10:00:04AM +0100, Oliver Hitz wrote: > I think you should be able to avoid such exploits by using PHP's safe > mode. It allow you, among other things, to specify that only files in > a particular directory may be executed. This way, even if someone > succeeds uploading an exploit onto your server, he won't be able to run > it. Recommend that you also take a look at mod_security (http://www.modsecurity.org/) for apache. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
another kernel vulnerability
If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
another kernel vulnerability
If you haven't heard it already: Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series http://isec.pl/vulnerabilities/isec-0013-mremap.txt Patch: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: GnuPG & mutt on Woody 3.0r2.
On Mon, Dec 22, 2003 at 12:35:49PM -0700, s. keeling wrote: > > >gpg: Signature made Sun Dec 21 17:50:12 2003 MST using DSA key ID 946886AE > > >gpg: BAD signature from "Trey Sizemore <[EMAIL PROTECTED]>" > > Now, from the same guy, same key, why do I get "Bad signature?" Is there something different about this email compared to the one earlier? Some mailing-lists, for example, adds info about the list at the end of the messages sent on them so the signatures fails. If you tried to verify a file, download and try again. > > Have you already tried another key server? For example wwwkeys.pgp.net? > > Tried that this morning. It failed miserably. However, pgp.mit.edu > works fine. pgp.mit.edu and many other PKSd keyservers cant handle multiple subkeys, use a server running SKS[1] so you know that you get the whole key if it uses subkeys. [1] Examples of keyservers running SKS: keyserver.bu.edu keys.se.linux.org pgp.sjbcom.com keyserver.noreply.org /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: GnuPG & mutt on Woody 3.0r2.
On Mon, Dec 22, 2003 at 12:35:49PM -0700, s. keeling wrote: > > >gpg: Signature made Sun Dec 21 17:50:12 2003 MST using DSA key ID 946886AE > > >gpg: BAD signature from "Trey Sizemore <[EMAIL PROTECTED]>" > > Now, from the same guy, same key, why do I get "Bad signature?" Is there something different about this email compared to the one earlier? Some mailing-lists, for example, adds info about the list at the end of the messages sent on them so the signatures fails. If you tried to verify a file, download and try again. > > Have you already tried another key server? For example wwwkeys.pgp.net? > > Tried that this morning. It failed miserably. However, pgp.mit.edu > works fine. pgp.mit.edu and many other PKSd keyservers cant handle multiple subkeys, use a server running SKS[1] so you know that you get the whole key if it uses subkeys. [1] Examples of keyservers running SKS: keyserver.bu.edu keys.se.linux.org pgp.sjbcom.com keyserver.noreply.org /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: When will kernel-image-2.4.23 be available ?
On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: > BUT! Does anybody have a patch for the do_brk vuln on any kernel-source > package >= 2.4.20 as they are currently in the archives? I would like to > build a new kernel with the vuln patched ASAP, rather than wait for the > upload to reopen. http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: When will kernel-image-2.4.23 be available ?
On Fri, Dec 05, 2003 at 08:08:46AM +0100, Lupe Christoph wrote: > BUT! Does anybody have a patch for the do_brk vuln on any kernel-source > package >= 2.4.20 as they are currently in the archives? I would like to > build a new kernel with the vuln patched ASAP, rather than wait for the > upload to reopen. http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED] /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote: > Thank you for not starting wild unfounded rumors. If you don't have the > facts it is unproductive to speculate wildly, especially in a pejorative > fashion. No starting rumours or specualting, just asking how the servers got got rooted. If i offended anyone i apologise. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote: > Thank you for not starting wild unfounded rumors. If you don't have the > facts it is unproductive to speculate wildly, especially in a pejorative > fashion. No starting rumours or specualting, just asking how the servers got got rooted. If i offended anyone i apologise. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: > On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: > > Anyone to shed some light over this? > > There has been an announcement on the Debian-announce-list a few > minutes ago which clarifies the situation. I have asked Martin to > publish the the announcement in this list also. > Yes, I know. The last 5 replies i've got was with the url to that announcement. What i'm interested in was how it could happen. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: > On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: > > Anyone to shed some light over this? > > There has been an announcement on the Debian-announce-list a few > minutes ago which clarifies the situation. I have asked Martin to > publish the the announcement in this list also. > Yes, I know. The last 5 replies i've got was with the url to that announcement. What i'm interested in was how it could happen. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: > Thats ATM unknown. It seems, that nobody (except the bad boys) has access to > the boxes. But there are ppl on the way to catch local access. Thats all I > heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: > Thats ATM unknown. It seems, that nobody (except the bad boys) has access to > the boxes. But there are ppl on the way to catch local access. Thats all I > heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: > http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers "hacked"?
On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: > http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Debian servers "hacked"?
Anyone to shed some light over this? "Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens!" http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Debian servers "hacked"?
Anyone to shed some light over this? "Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens!" http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Why not use /bin/noshell?
Tried the Titan noshell and it works as expected. However, Tiger complains about it if you follow the CERT installation procedure and "Register the noshell program as the valid login shell." There's no need to do this, as noshell really doesn't care and still works a non-valid shell. [...] NEW: --WARN-- [acc001w] Login ID games is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID list is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID lp is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID mail is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID man is disabled, but still has a valid shell [...] About the license, it's available at http://www.fish.com/titan/ "4) You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b) accompany the distribution with the machine-readable source of the Package with your modifications. c) accompany any non-standard executables with their corresponding Standard Version executables, giving the non-standard executables non-standard names, and clearly documenting the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version. d) make other distribution arrangements with the Copyright Holder." /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Why not use /bin/noshell?
Tried the Titan noshell and it works as expected. However, Tiger complains about it if you follow the CERT installation procedure and "Register the noshell program as the valid login shell." There's no need to do this, as noshell really doesn't care and still works a non-valid shell. [...] NEW: --WARN-- [acc001w] Login ID games is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID list is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID lp is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID mail is disabled, but still has a valid shell. NEW: --WARN-- [acc001w] Login ID man is disabled, but still has a valid shell [...] About the license, it's available at http://www.fish.com/titan/ "4) You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a) distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b) accompany the distribution with the machine-readable source of the Package with your modifications. c) accompany any non-standard executables with their corresponding Standard Version executables, giving the non-standard executables non-standard names, and clearly documenting the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version. d) make other distribution arrangements with the Copyright Holder." /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Why do system users have valid shells
On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote: > We can start with "bin", "daemon", "sys", and "sync" which are the least > likely accounts to need a login shell. After those changes have been tested > to everyone's satisfaction we can then move on to others. why not deny those accounts login access at the same time? it wouldn't hurt. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Why do system users have valid shells
On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote: > We can start with "bin", "daemon", "sys", and "sync" which are the least > likely accounts to need a login shell. After those changes have been tested > to everyone's satisfaction we can then move on to others. why not deny those accounts login access at the same time? it wouldn't hurt. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 11:59:34AM -0700, TongKe Xue wrote: > Hello, Hi, > On a slightly off topic note, I'm thinking about running an > ftp/http/ssh server for personal use in college. What precautionary > measures should I take, or rather can I take? From reading over the > various Slashdot posts, I'm thinking that beyond > > (1) making sure system isn't running any unnecessary servers > (Debian seems pretty good in this by default) > (2) making sure all software is up to date > and > (3) since it's a college campus, possibly being able to ask > technical support for the subnet (correct word?) of all campus IP > addresses, and only allowing access IP addresses on that subnet > > beyond all of that, there really isn't much that I can do is there? Well, like everything else it depends how much time you want to spend on security. Is it an anonymous-only ftp? If not, encrypt the traffic to protect the usernames and passwords. Are you the only one that's going to connect with ssh? If not, consider chroot()ing the other accounts. Public webserver? If not, only allow certain addresses and use SSL/TLS if needed. Also consider building a custom kernel with, for example, PaX. Grsecurity (www.grsecurity.org) is a good kernel patch with PaX and a simple ACL among other things. If you're building your own packages, consider using the SSP (http://www.research.ibm.com/trl/projects/security/ssp/) patch for GCC. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: ssh vulnerability in the wild
On Tue, Sep 16, 2003 at 11:59:34AM -0700, TongKe Xue wrote: > Hello, Hi, > On a slightly off topic note, I'm thinking about running an > ftp/http/ssh server for personal use in college. What precautionary > measures should I take, or rather can I take? From reading over the > various Slashdot posts, I'm thinking that beyond > > (1) making sure system isn't running any unnecessary servers > (Debian seems pretty good in this by default) > (2) making sure all software is up to date > and > (3) since it's a college campus, possibly being able to ask > technical support for the subnet (correct word?) of all campus IP > addresses, and only allowing access IP addresses on that subnet > > beyond all of that, there really isn't much that I can do is there? Well, like everything else it depends how much time you want to spend on security. Is it an anonymous-only ftp? If not, encrypt the traffic to protect the usernames and passwords. Are you the only one that's going to connect with ssh? If not, consider chroot()ing the other accounts. Public webserver? If not, only allow certain addresses and use SSL/TLS if needed. Also consider building a custom kernel with, for example, PaX. Grsecurity (www.grsecurity.org) is a good kernel patch with PaX and a simple ACL among other things. If you're building your own packages, consider using the SSP (http://www.research.ibm.com/trl/projects/security/ssp/) patch for GCC. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: grsecurity patch - woody
On Thu, Aug 14, 2003 at 09:57:26AM -0400, Todd Charron wrote: > I'm using the latest 2.4.18 kernel in woody (came out very recently). I was > wondering if anyone else was running into this problem and perhaps knew a way > around it? Thanks, The Debian kernel contains patches not present in the vanilla .18. If you can't fix the .rej (which often isn't a big deal) try with the vanilla kernel. (And not .18 since it contains security vulnerabilities). /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- pgps47h0DlMPo.pgp Description: PGP signature
Re: grsecurity patch - woody
On Thu, Aug 14, 2003 at 09:57:26AM -0400, Todd Charron wrote: > I'm using the latest 2.4.18 kernel in woody (came out very recently). I was > wondering if anyone else was running into this problem and perhaps knew a way > around it? Thanks, The Debian kernel contains patches not present in the vanilla .18. If you can't fix the .rej (which often isn't a big deal) try with the vanilla kernel. (And not .18 since it contains security vulnerabilities). /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- pgp0.pgp Description: PGP signature
Re: Strongest linux - kernel patches
Ugly reply, but here goes... On Tue, Jul 01, 2003 at 04:27:21PM -0700, Alvin Oga wrote: > > On Tue, 1 Jul 2003, valerian wrote: > > > On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: > > > Hi all, > > > > > > I want to setup a new linux server in internet (apache, php, postfix, > > > mysql, dns...), and I would like to patch the standard kernel with some > > > security patches. but my question is, what patches are the best?? Best? Well what do you want to do? How much time are you prepared to spend to secure your system? Are you looking for a general, basic security model (Openwall works good and is easy to apply) or do you want to spend time on ACLs (SELinux or RSBAC or Grsecuritys simple system)? > > >- Openwall ?? Good is you just want to apply it and basically forget about it. > > >- TrustedDebian ?? Is not a kernel patch. Now called Adamantix (have a look at www.adamantix.org) and is a Debian deriviate that uses PaX, builds every package (including the kernel) with IBMs stack smashing protector and lets you choose if you want to use an RSBAC (www.rsbac.org) enabled kernel. > > >- LIDS?? And RSBAC, SELinux to the list if you want to check similar patches out. > -- at a minimum, you should be using linux-2.4.21 >and openwall and lids and .. or wait for .22 which _might_ include some crypto. > -- than use the latest php, apache, postfix, mysql, dns > - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) /Thomas -- == [EMAIL PROTECTED] == [EMAIL PROTECTED] == 0x114AA85C --
Re: Strongest linux - kernel patches
Ugly reply, but here goes... On Tue, Jul 01, 2003 at 04:27:21PM -0700, Alvin Oga wrote: > > On Tue, 1 Jul 2003, valerian wrote: > > > On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: > > > Hi all, > > > > > > I want to setup a new linux server in internet (apache, php, postfix, > > > mysql, dns...), and I would like to patch the standard kernel with some > > > security patches. but my question is, what patches are the best?? Best? Well what do you want to do? How much time are you prepared to spend to secure your system? Are you looking for a general, basic security model (Openwall works good and is easy to apply) or do you want to spend time on ACLs (SELinux or RSBAC or Grsecuritys simple system)? > > >- Openwall ?? Good is you just want to apply it and basically forget about it. > > >- TrustedDebian ?? Is not a kernel patch. Now called Adamantix (have a look at www.adamantix.org) and is a Debian deriviate that uses PaX, builds every package (including the kernel) with IBMs stack smashing protector and lets you choose if you want to use an RSBAC (www.rsbac.org) enabled kernel. > > >- LIDS?? And RSBAC, SELinux to the list if you want to check similar patches out. > -- at a minimum, you should be using linux-2.4.21 >and openwall and lids and .. or wait for .22 which _might_ include some crypto. > -- than use the latest php, apache, postfix, mysql, dns > - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) /Thomas -- == [EMAIL PROTECTED] == [EMAIL PROTECTED] == 0x114AA85C -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache user pages (was: Re: Permissions on /root/)
On Mon, 10 Mar 2003, Johannes Berth wrote: > You don't have to make your $HOME world readable, just world executable. [...] > With 711 on your $HOME and secure chmods on your files nobody will be > able to see files you don't want them to see. ... but there's still no reason to place "public html" in home dirs and how many users uses secure chmods when creating dirs/files? put 700 on their home dir and the user doesn't have to bother with secure chmod when they just want do to their job, as long as they don't put anything private in public_html/www/whatever if there's such a dir present. /Thomas -- [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Apache user pages (was: Re: Permissions on /root/)
On Mon, 10 Mar 2003, Johannes Berth wrote: > You don't have to make your $HOME world readable, just world executable. [...] > With 711 on your $HOME and secure chmods on your files nobody will be > able to see files you don't want them to see. ... but there's still no reason to place "public html" in home dirs and how many users uses secure chmods when creating dirs/files? put 700 on their home dir and the user doesn't have to bother with secure chmod when they just want do to their job, as long as they don't put anything private in public_html/www/whatever if there's such a dir present. /Thomas -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache user pages (was: Re: Permissions on /root/)
On Monday 10 March 2003 15.19, Rob VanFleet wrote: > > No they don't. > > You shouldn't place user websites in their home dirs. Place the > > user "webspace" in e.g /var/www/[user] and symlink from > > public_html or whatever. > > ..and this makes a difference how...? I'm not necessarily trying to > disagree with you, I was just expecting an explanation as to why that > is a better solution. It's a simple solution to separate users home dirs from public view, so to speak. With this solution there is no need to make home dirs world readable, thus you're able to set 700 on their homes which, as I see it, is a good thing. ... and with chroot and a kernel patch you're should even be allowed to put it on apublic net ;) /Thomas -- [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Apache user pages (was: Re: Permissions on /root/)
On Monday 10 March 2003 15.19, Rob VanFleet wrote: > > No they don't. > > You shouldn't place user websites in their home dirs. Place the > > user "webspace" in e.g /var/www/[user] and symlink from > > public_html or whatever. > > ..and this makes a difference how...? I'm not necessarily trying to > disagree with you, I was just expecting an explanation as to why that > is a better solution. It's a simple solution to separate users home dirs from public view, so to speak. With this solution there is no need to make home dirs world readable, thus you're able to set 700 on their homes which, as I see it, is a good thing. ... and with chroot and a kernel patch you're should even be allowed to put it on apublic net ;) /Thomas -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Permissions on /root/
On Sat, 8 Mar 2003, Birzan George Cristian wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
> root is not the regular user. Users need o+x on their home dirs for
> Apache to be able to serve pages.
No they don't.
You shouldn't place user websites in their home dirs. Place the user
"webspace" in e.g /var/www/[user] and symlink from public_html or
whatever.
/Thomas
Re: Permissions on /root/
On Sat, 8 Mar 2003, Birzan George Cristian wrote:
> > It should be locked down and not touched by adduser ("Would You Like To
> > Make All Homedirs World-Readable?").
> root is not the regular user. Users need o+x on their home dirs for
> Apache to be able to serve pages.
No they don't.
You shouldn't place user websites in their home dirs. Place the user
"webspace" in e.g /var/www/[user] and symlink from public_html or
whatever.
/Thomas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
