Re: CVE-2023-33460, ruby-yajl affected?
On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucariès wrote: > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > Hello, > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > is affected. There is no direct dependency on yajl, where the vulnerability > > was detected. > ruby-yajl include a old version of yajl 1.01.12 > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 This matches my investation, however, a small correction: This commit is already part of version 2.0.0. I've added note in data/CVE/list accordingly. -- Cheers, tobi
Re: DSA translations
On Friday 18 November 2005 06:07, Felipe Augusto van de Wiel (faw) wrote: > Hi people, > > We are joining efforts on -l10n-portuguese to try to translate > DSAs (new and old ones), because of that I'm copying -security and > -l10n-portuguese. > > What is the best approach? Translate it through the webwmls after > publication and announce or is there another place to work on while DSA > is "cooking" (like DWN)? :) Hi, I'm currently the German translator for DSAs. As far as I know, there is no such place where a DSA is available for translating before it's published. Given the sensitivity of the information (unless there are fixed packages available), it seems unlikely to me that there will be such an arrangement. Anyway, good luck with your efforts. It's quite a workload, I can tell you ... Cheers, -- Tobias "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former" -- Albert Einstein pgp7zBuECHcTU.pgp Description: PGP signature
Re: New squid packages 2.4.6-2woody9 restarts very often.
14| Took 0.9 seconds ( 0.0 objects/sec). 2005/07/12 09:00:14| Beginning Validation Procedure 2005/07/12 09:00:14| Completed Validation Procedure 2005/07/12 09:00:14| Validated 0 Entries 2005/07/12 09:00:14| store_swap_size = 84k 2005/07/12 09:00:14| storeLateRelease: released 0 objects squid: rfc1035.c:410: rfc1035RRUnpack: Assertion `(*off) <= sz' failed. Aborted Since RFC 1035 deals with DNS and the Squid patch ist meant to specifically fix a DNS issue, I suspect there's a bug in the patch. Not knowing what better to do, I'm sending this message to the security team per CC. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gpg keyrings and some problems ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 First of all sorry for the message off the list. It was meant to be sent to the list of course. On 02/23/2005 04:25 PM, Gilberto Martins wrote: > Seu email enviado em Qua 23 Fev 2005 10:51: >>On 02/23/2005 02:21 PM, Gilberto Martins wrote: >>>Every time I receive a mail from debian-security, I get a message as the >>>one anexed, in the yellow strip, which says: >>> >>>"The message has been signed in 31-12-1969 20:59 with unknown key >>>0x801EA932. The validity (correct ???) of this sign could not be >>>verified." >>You need to import the key into your keyring: >> >>$ gpg --keyserver subkeys.pgp.net --recv-key 0x801EA932 > > I really did it, and it partially worked. > Now, it says that "the sign is valid, but unfaithful". Yeah, whats wrong with that? I guess you didn't sign the key, so this is normal. > Please, forgive my excessive questions. I really want to learn more about > this. If u can send me some more links related to this subjects. You should really read something about the basices of signing/encryption with PGP/GPG. Other people on the list already gave some pointers to excellent documentation. Good luck, Tobias -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCHKKKcrwOfjpEVSARAvfHAKDQ+DJxYNr1VJbiYYuHz+oWYToPTwCdHTV6 SVcnnn3z/UlyFksbk2GdY2w= =94o5 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking AXFR record query
David Barroso wrote: * James Miller ([EMAIL PROTECTED]) wrote: If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram. In fact the limit is even much lower, namely 512 bytes (a UDP datagram has a 16-bit length field). But whether responses of your server will have to be truncated is entirely under your control and many sites don't have RRs that will cause more than a 512 byte response to be used. Cheers, Tobias
Re: blocking AXFR record query
David Barroso wrote: * James Miller ([EMAIL PROTECTED]) wrote: If memory serves.. AXFR is a zone transfer... So, at your firewall, would want to only allowing TCP queries from your backup (secondary, trinary..etc.) dns servers (on the outside of your firewall) and limit everyone else to UDP queries. And for your bind9 config something like this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram. In fact the limit is even much lower, namely 512 bytes (a UDP datagram has a 16-bit length field). But whether responses of your server will have to be truncated is entirely under your control and many sites don't have RRs that will cause more than a 512 byte response to be used. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why do system users have valid shells
Dariush Pietrzak wrote: 'su -s /bin/bash -c "cmd" user ' sounds like a very bs argument Do you understand the term 'breakage' ? How about the idea that changing something in the system may force to you to rewrite parts of code? Hence my original question. OK, it doesn't break cron, it does break 'su -c'. You can fix the latter by finding all instances of 'su -c' and replacing them with 'su -s /bin/sh -c'. Is there anything else that will probably break? Cheers, Tobias
Re: Why do system users have valid shells
I.R.van Dongen wrote: If the shells are changed, there are some really big consequences, but Such as? Please share your knowledge. :-) Cheers, Tobias
Re: Why do system users have valid shells
Dariush Pietrzak wrote: accounts? Do we risk breaking anything if we perform an s/\/bin\/sh$/\/bin\/false/ ? Yes, you'll run into trouble trying to run cronjobs as those system users, No, cron jobs work just fine. I've got a user named 'mirror' with /bin/true as shell and it performs FTP mirror and rsync downloads absolutely fine. also su user -c command won't work, you'll need to use sudo or suid bit, and that's a bit messy. This is true, when I need to su to this user's account (for troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first (and change it back later). However, I only need to do this very seldom. And I haven't ever needed to su to daemon, bin, sys, games, man, lp, mail, news, uucp, proxy, postgres, www-data, backup, operator, list, irc, gnats, nobody, amavis or cyrus. That's the list of user accounts with shell /bin/sh on my Debian box. Cheers, Tobias
Re: Why do system users have valid shells
Dariush Pietrzak wrote: 'su -s /bin/bash -c "cmd" user ' sounds like a very bs argument Do you understand the term 'breakage' ? How about the idea that changing something in the system may force to you to rewrite parts of code? Hence my original question. OK, it doesn't break cron, it does break 'su -c'. You can fix the latter by finding all instances of 'su -c' and replacing them with 'su -s /bin/sh -c'. Is there anything else that will probably break? Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why do system users have valid shells
I.R.van Dongen wrote: If the shells are changed, there are some really big consequences, but Such as? Please share your knowledge. :-) Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Why do system users have valid shells
Hi We recently noticed that a stock woody install produces an /etc/passwd in which most, if not all, system users have a valid shell entry of /bin/sh. They're all unable to login due to having no valid password, but best UNIX security practice typically involves giving accounts that don't need to be able to login a shell of /bin/false or /bin/true. Other distros (at least some of them) appear to follow suit. Is there a reason why Debian chooses to specify /bin/sh for system accounts? Do we risk breaking anything if we perform an s/\/bin\/sh$/\/bin\/false/ ? Cheers, Tobias
Re: Why do system users have valid shells
Dariush Pietrzak wrote: accounts? Do we risk breaking anything if we perform an s/\/bin\/sh$/\/bin\/false/ ? Yes, you'll run into trouble trying to run cronjobs as those system users, No, cron jobs work just fine. I've got a user named 'mirror' with /bin/true as shell and it performs FTP mirror and rsync downloads absolutely fine. also su user -c command won't work, you'll need to use sudo or suid bit, and that's a bit messy. This is true, when I need to su to this user's account (for troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first (and change it back later). However, I only need to do this very seldom. And I haven't ever needed to su to daemon, bin, sys, games, man, lp, mail, news, uucp, proxy, postgres, www-data, backup, operator, list, irc, gnats, nobody, amavis or cyrus. That's the list of user accounts with shell /bin/sh on my Debian box. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Why do system users have valid shells
Hi We recently noticed that a stock woody install produces an /etc/passwd in which most, if not all, system users have a valid shell entry of /bin/sh. They're all unable to login due to having no valid password, but best UNIX security practice typically involves giving accounts that don't need to be able to login a shell of /bin/false or /bin/true. Other distros (at least some of them) appear to follow suit. Is there a reason why Debian chooses to specify /bin/sh for system accounts? Do we risk breaking anything if we perform an s/\/bin\/sh$/\/bin\/false/ ? Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
Dariush Pietrzak wrote: On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote: FTP is a firewal nightmare, You think? Not only he thinks that way. It's an accepted fact within the InfoSec community. Firewalls are nightmare, and the only result of prefering http-only protocols is what you'll see in nearest future: Every single new protocol is http and work via 80/443 port. How's that for a firewall nightmare? It is one, yes, but it's not the firewalls' fault. The problem is that some developers and users don't understand security and see firewalls as not much more than pesky contraptions that get in the way of everything. They consider their own applications as secure. Now you've got www traffic, file transfer, instant messaging, REMOTE PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious firewall. Using proper ALGs, you should be able to filter quite a bit of that stuff out currently, e.g. by placing strict constraints on the CONNECT method. If people start mimicking web pages, it's going to get more difficult. However, tunnelling is nothing really new. You can discover some of it using traffic analysis and investigating anomalous traffic patterns, such as HTTP with significant upstream traffic (HTTP should normally be very asymmetric). it is unsecure (plaintext), since when? It's only plaintext if you want it. You can choose/negotiate 'authentication, confidentiality and message integrity'. You can even change securelevels in runtime - encrypt only authentication ( cool for transferring non-sensitive bulk data like movies/allready encrypted backups ), encrypt selected files, etc etc.. Check: RFC 959 (FTP) RFC 2246 (TLS) RFC 1579 (Firewall-friendly data exchange) RFC 2228 (FTP security extensions) ( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt ) That RFC is from 1997... Those options are hardly ever used on the Internet. 99 out of 100 people who say FTP mean RFC959 only. Cheers, Tobias
Re: Watch out! vsftpd anonymous access always enabled!
Dariush Pietrzak wrote: On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote: FTP is a firewal nightmare, You think? Not only he thinks that way. It's an accepted fact within the InfoSec community. Firewalls are nightmare, and the only result of prefering http-only protocols is what you'll see in nearest future: Every single new protocol is http and work via 80/443 port. How's that for a firewall nightmare? It is one, yes, but it's not the firewalls' fault. The problem is that some developers and users don't understand security and see firewalls as not much more than pesky contraptions that get in the way of everything. They consider their own applications as secure. Now you've got www traffic, file transfer, instant messaging, REMOTE PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious firewall. Using proper ALGs, you should be able to filter quite a bit of that stuff out currently, e.g. by placing strict constraints on the CONNECT method. If people start mimicking web pages, it's going to get more difficult. However, tunnelling is nothing really new. You can discover some of it using traffic analysis and investigating anomalous traffic patterns, such as HTTP with significant upstream traffic (HTTP should normally be very asymmetric). it is unsecure (plaintext), since when? It's only plaintext if you want it. You can choose/negotiate 'authentication, confidentiality and message integrity'. You can even change securelevels in runtime - encrypt only authentication ( cool for transferring non-sensitive bulk data like movies/allready encrypted backups ), encrypt selected files, etc etc.. Check: RFC 959 (FTP) RFC 2246 (TLS) RFC 1579 (Firewall-friendly data exchange) RFC 2228 (FTP security extensions) ( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt ) That RFC is from 1997... Those options are hardly ever used on the Internet. 99 out of 100 people who say FTP mean RFC959 only. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: OPENSSL
On Tue, Jun 10, Stefan Neufeind wrote: > I'm using a 128-bit-cert. You're using an X.509 certificate. The grade of symmetric encryption negotiated between browser and web server is (at least in theory) independent of the certificate. > But browsers that support less encryption > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > the encryption doesn't allow degration. The original NT shipped with IE2. Are you sure you want people to still use that? > Is there any way to solve > this prob? Using Apache with an official SSL-cert. > > PS: This just came to my mind when you said "step-up" - cause in my > case it would be a "step-down", right? I could imagine that IE2 has numerous problems with SSL. It could well be one of the browsers that need to see step-up certificates before they perform 128-bit symmetric cryptography. But I don't know. Make sure you've allowed your Apache to use small key sizes first. I wouldn't use them, but you should be sure that it's not your server that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to apply the latest service pack and preferrably install IE6SP1 plus the Hotfixes that have been released since. And then they should install a better browser and use that instead. ;-> Cheers, Tobias
RE: OPENSSL
On Tue, Jun 10, Stefan Neufeind wrote: > I'm using a 128-bit-cert. You're using an X.509 certificate. The grade of symmetric encryption negotiated between browser and web server is (at least in theory) independent of the certificate. > But browsers that support less encryption > (e.g. IE that comes with WinNT4) can't access my SSL-pages because > the encryption doesn't allow degration. The original NT shipped with IE2. Are you sure you want people to still use that? > Is there any way to solve > this prob? Using Apache with an official SSL-cert. > > PS: This just came to my mind when you said "step-up" - cause in my > case it would be a "step-down", right? I could imagine that IE2 has numerous problems with SSL. It could well be one of the browsers that need to see step-up certificates before they perform 128-bit symmetric cryptography. But I don't know. Make sure you've allowed your Apache to use small key sizes first. I wouldn't use them, but you should be sure that it's not your server that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to apply the latest service pack and preferrably install IE6SP1 plus the Hotfixes that have been released since. And then they should install a better browser and use that instead. ;-> Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: OPENSSL
> I'm trying to generate a 40-bit certificate using OPENSSL.Can > anybody tell me if this is possible and with which package? The RSA keys used in X.509 certificates are typically 1024 or 2048 bits in length. What length the symmetric key used between two parties that have authenticated via X.509 certificates (with RSA keys) to subsequently protect their communication has, is not directly related to the certificate. There are web browsers that will negotiate 128 bits only if the certificate presented by the web server is a "step-up certificate". I'm not sure what makes a certificate a step-up certificate, however, nor if this restriction still applies to current browsers. Cheers, Tobias
RE: OPENSSL
> I'm trying to generate a 40-bit certificate using OPENSSL.Can > anybody tell me if this is possible and with which package? The RSA keys used in X.509 certificates are typically 1024 or 2048 bits in length. What length the symmetric key used between two parties that have authenticated via X.509 certificates (with RSA keys) to subsequently protect their communication has, is not directly related to the certificate. There are web browsers that will negotiate 128 bits only if the certificate presented by the web server is a "step-up certificate". I'm not sure what makes a certificate a step-up certificate, however, nor if this restriction still applies to current browsers. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh "banner"
Hi, On Fri, 18 Oct 2002, vdongen wrote: > > Woody > > > > host:/home/przemol>telnet 192.168.x.y ssh > > Trying 192.168.x.y... > > Connected to 192.168.x.y. > > Escape character is '^]'. > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 > > > > How can I disable the message ? > This banner is needed information for a ssh client connecting to your > server, therefor you better not disable it. oops, of course you're right.. i didn't pay attention to the line saying telnet etc., i just kicked out my standard "how do i remove this annoying banner" reply that our customers get when they don't wanna see it. my fault.. tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany
Re: ssh "banner"
On Fri, 18 Oct 2002 [EMAIL PROTECTED] wrote: > Woody > > host:/home/przemol>telnet 192.168.x.y ssh > Trying 192.168.x.y... > Connected to 192.168.x.y. > Escape character is '^]'. > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 > > How can I disable the message ? edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. hth, tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany
Re: ssh "banner"
Hi, On Fri, 18 Oct 2002, vdongen wrote: > > Woody > > > > host:/home/przemol>telnet 192.168.x.y ssh > > Trying 192.168.x.y... > > Connected to 192.168.x.y. > > Escape character is '^]'. > > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 > > > > How can I disable the message ? > This banner is needed information for a ssh client connecting to your > server, therefor you better not disable it. oops, of course you're right.. i didn't pay attention to the line saying telnet etc., i just kicked out my standard "how do i remove this annoying banner" reply that our customers get when they don't wanna see it. my fault.. tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh "banner"
On Fri, 18 Oct 2002 [EMAIL PROTECTED] wrote: > Woody > > host:/home/przemol>telnet 192.168.x.y ssh > Trying 192.168.x.y... > Connected to 192.168.x.y. > Escape character is '^]'. > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 > > How can I disable the message ? edit /etc/ssh/sshd_config and put a comment mark (#) at the beginning of the line that says Banner /etc/issue.net or something like that. hth, tobias r. -- NOC Hamster - Security Guy - Owner of one, root of many Tobias Rosenstock - [EMAIL PROTECTED] - [EMAIL PROTECTED] - [EMAIL PROTECTED] Wieske's Crew KG - http://irz42.net - http://www.crew-kg.de Humboldtstr. 51 - Lessingstr. 2 - 22083 Hamburg - Germany -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Newbie - wants to close ports
On Mon, Sep 30, 2002 at 11:03:17AM +0200, Zeno Davatz wrote: > On 30.9.2002 10:54 Uhr, "InfoEmergencias - Luis Gómez" > <[EMAIL PROTECTED]> wrote: > > > fingerd is the name of the package :) > Thanks for the hint. Tried that also: > debian:/etc# apt-get --purge remove fingerd > Reading Package Lists... Done > Building Dependency Tree... Done > Package fingerd is not installed, so not removed > 0 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded. > > Now my port is still open: nman -v > 79/tcp openfinger Hi, what does a netstat -lnp|grep 79 say to you? You should see the process that binds to the port... Regards, Tobias.
Re: Newbie - wants to close ports
On Mon, Sep 30, 2002 at 11:03:17AM +0200, Zeno Davatz wrote: > On 30.9.2002 10:54 Uhr, "InfoEmergencias - Luis Gómez" > <[EMAIL PROTECTED]> wrote: > > > fingerd is the name of the package :) > Thanks for the hint. Tried that also: > debian:/etc# apt-get --purge remove fingerd > Reading Package Lists... Done > Building Dependency Tree... Done > Package fingerd is not installed, so not removed > 0 packages upgraded, 0 newly installed, 0 to remove and 1 not upgraded. > > Now my port is still open: nman -v > 79/tcp openfinger Hi, what does a netstat -lnp|grep 79 say to you? You should see the process that binds to the port... Regards, Tobias. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: your mail
Hi, On Fri, 26 Jul 2002, Gerhard Simon wrote: > How do i change password and or name in yahoo. > Thanks for your help. write email to [EMAIL PROTECTED] with the subject "toss my salad" and your desired new user name and password in the message body. hth, jeedi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: subscribe
On Mit, 2002-05-22 at 00:21, Daniel Fairhead wrote: > makes a change not to have the "un" at the begining. Yeah, even had to add another filter so I'll never see those again either. signature.asc Description: This is a digitally signed message part
Re: subscribe
On Mit, 2002-05-22 at 00:21, Daniel Fairhead wrote: > makes a change not to have the "un" at the begining. Yeah, even had to add another filter so I'll never see those again either. signature.asc Description: This is a digitally signed message part
open ports
i use iptables for my personal firewall. for proper configuration i need some information about ports used by different services. not the lower one. i can read the /etc/services on my one:) but for the use with icq, i'm not sure if i've opened the right one (i don't think so because if got some problems, e.g. on file transfers) in addition: to be able to play yahoo games there also must be open some ports above 35000 i think... but which one? i wonna use some scripts to open and/or close needed ports dynamicaly..;) is there a paper available? thx @ll
open ports
i use iptables for my personal firewall. for proper configuration i need some information about ports used by different services. not the lower one. i can read the /etc/services on my one:) but for the use with icq, i'm not sure if i've opened the right one (i don't think so because if got some problems, e.g. on file transfers) in addition: to be able to play yahoo games there also must be open some ports above 35000 i think... but which one? i wonna use some scripts to open and/or close needed ports dynamicaly..;) is there a paper available? thx @ll -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called ".ssh" and ".ssh2" in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. /Tobias On Fri, Aug 03, 2001 at 10:13:03PM +, Jim Breton wrote: > On Fri, Aug 03, 2001 at 08:09:25PM +, Jim Breton wrote: > > You can also disable access with PAM, using the "sshd" pam control file. > > Just use pam_deny.so to deny authentication. -- todays excuse BOFH excuse #322: Your Pentium has a heating problem - try cooling it with ice cold water.(Do not turn of your computer, you do not want to cool down the Pentium Chip while he isn't working, do you?) pgpyi3yB8ayUB.pgp Description: PGP signature
Re: Locking down a guest account - need help.
Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called ".ssh" and ".ssh2" in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. /Tobias On Fri, Aug 03, 2001 at 10:13:03PM +, Jim Breton wrote: > On Fri, Aug 03, 2001 at 08:09:25PM +, Jim Breton wrote: > > You can also disable access with PAM, using the "sshd" pam control file. > > Just use pam_deny.so to deny authentication. -- todays excuse BOFH excuse #322: Your Pentium has a heating problem - try cooling it with ice cold water.(Do not turn of your computer, you do not want to cool down the Pentium Chip while he isn't working, do you?) PGP signature
