Re: Two HDD on Desktop PC
On 05/08/2019 11:08, Mostaf Faridi wrote: > Thanks for your reply > Your guide is good. > I want in linux mint Debian HDD can not mount and use it. > I want linux mint can not mount Debian HDD. > I want find way to config my debian system to prevent other OS can not > mount Debian HDD. In that case you have to encrypt both Debian and Mint drives, or physically disconnect them. -- Best Regards Vladislav Kurz > > MyWebSite http://mfaridi.com > > On Mon, 5 Aug 2019, 13:14 Vladislav Kurz, <mailto:vladislav.k...@webstep.net>> wrote: > > On 04/08/2019 21:51, Mostaf Faridi wrote: > > I have Desktop PC with two HDDs . on first HDD, I have Debian 10 > and on > > Second HDD , I have Linux Mint. > > File system on Debian is Ext4. > > When I boot by linux mint I can access to files on Debian HDD. > > I want this is not happen. > > I want all my files can not accessing by other linux distro. > > How I can config > > > > MyWebSite http://mfaridi.com > > Hello Mostaf, > > there have been already some suggestions. But to find the right > solution, you have to say what level of isolation of those two systems > you need. > > - is it just to prevent unprivileged users from accessing the other > drive? - then umount and removal from fstab is probably enough > > - is it to prevent root from reading the other drive? - then you must > encrypt > > - is it to prevent root from erasing the oter drive? - then you must > physically remove it each time > > -- > Best Regards > Vladislav Kurz >
Re: Two HDD on Desktop PC
On 04/08/2019 21:51, Mostaf Faridi wrote: > I have Desktop PC with two HDDs . on first HDD, I have Debian 10 and on > Second HDD , I have Linux Mint. > File system on Debian is Ext4. > When I boot by linux mint I can access to files on Debian HDD. > I want this is not happen. > I want all my files can not accessing by other linux distro. > How I can config > > MyWebSite http://mfaridi.com Hello Mostaf, there have been already some suggestions. But to find the right solution, you have to say what level of isolation of those two systems you need. - is it just to prevent unprivileged users from accessing the other drive? - then umount and removal from fstab is probably enough - is it to prevent root from reading the other drive? - then you must encrypt - is it to prevent root from erasing the oter drive? - then you must physically remove it each time -- Best Regards Vladislav Kurz
Re: Two HDD on Desktop PC
On 04/08/2019 23:57, Ruslanas Gžibovskis wrote:
> 2) If you just do not want to see it, run: find / -type f -delete
OMG, I thought that members of Debian community would not give this sort
of malicious advice. That command deletes everything.
Please be nice to each other.
--
Best Regards
Vladislav Kurz
Re: APT vulnerability [DSA 4371-1]
On 1/22/19 3:43 PM, Evgeny Kapun wrote: > On 22.01.2019 16:59, Vladislav Kurz wrote: >> Hello everybody, >> >> I'm also encountering many errors when using >> apt -o Acquire::http::AllowRedirect=false update >> apt -o Acquire::http::AllowRedirect=false upgrade >> >> As written in announcement: This is known to break some proxies when >> used against security.debian.org. >> >> However I do not use proxy at all. I have problems with jessie/updates, >> cdn.debian.net, and http.debian.net > > Try these URLs: http://cdn-fastly.deb.debian.org/debian, > http://cdn-fastly.deb.debian.org/debian-security. The domains > cdn.debian.net and http.debian.net are deprecated, use deb.debian.org > instead. Thanks for this info. It seems that jessie needs the above direct URL to fastly even if not behind proxy (can't use SRV records). -- Best Regards Vladislav Kurz
APT vulnerability [DSA 4371-1]
Hello everybody,
is this vulnerability affecting also apt-get ?
If yes, will there be another DSA soon?
I'm also encountering many errors when using
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
As written in announcement: This is known to break some proxies when
used against security.debian.org.
However I do not use proxy at all. I have problems with jessie/updates,
cdn.debian.net, and http.debian.net
Err http://security.debian.org jessie/updates/main i386 Packages
302 Found [IP: 217.196.149.233 80]
Err http://security.debian.org jessie/updates/contrib i386 Packages
302 Found [IP: 217.196.149.233 80]
Err http://security.debian.org jessie/updates/non-free i386 Packages
302 Found [IP: 217.196.149.233 80]
Fetched 151 kB in 9s (16.2 kB/s)
Err:14 http://cdn.debian.net/debian stretch Release
302 Found [IP: 2001:4f8:1:c::15 80]
Err:15 http://cdn.debian.net/debian stretch-updates Release
302 Found [IP: 2001:4f8:1:c::15 80]
Err:16 http://cdn.debian.net/debian stretch-backports Release
302 Found [IP: 2001:4f8:1:c::15 80]
Err:7 http://http.debian.net/debian stretch Release
302 Found [IP: 2001:67c:2564:a119::148:14 80]
Err:8 http://http.debian.net/debian stretch-updates Release
302 Found [IP: 2001:67c:2564:a119::148:14 80]
Err:9 http://http.debian.net/debian stretch-backports Release
302 Found [IP: 2001:67c:2564:a119::148:14 80]
--
Best Regards
Vladislav Kurz
Re: samba security update - workaround does not start
Hello all, I wanted to run the workaround script from https://wiki.samba.org/index.php/CVE-2018-1057 But it fails with: # ./samba_CVE-2018-1057_helper --lock-pwchange Temporarily overriding 'dsdb:schema update allowed' setting Traceback (most recent call last): File "./samba_CVE-2018-1057_helper", line 139, in sd_helper.modify_sd_on_dn(msg.dn, new_desc) File "/usr/lib/python2.7/dist-packages/samba/sd_utils.py", line 40, in modify_sd_on_dn m.dn = Dn(self.ldb, object_dn) TypeError: argument 2 must be string, not ldb.Dn A transaction is still active in ldb context [0x228cc20] on tdb:///var/lib/samba/private/sam.ldb --dry-dun runs nicely, listing all users from LDAP. Has anyone idea what's wrong? Maybe some python modules? -- Best Regards Vladislav Kurz
Re: vulnerability in 8.6
On 11/10/16 04:20, Richard Waterbeek wrote: > Hi Salvatore, Ozgur, > > You posted this url; https://www.debian.org/security/2016/dsa-3696 > > But, I have looked for a update and I went to Debian package search and > searched for; 'kernel image 686 > pae' > [https://packages.debian.org/search?suite=stable§ion=all&arch=any&searchon=names&keywords=kernel+image+686+pae] > > This gave one result, which is; 'kernel-image-3.16.0-4-686-pae-di' and > written with that, 'Linux kernel binary image for the Debian installer > 3.16.36-1+deb8u1: i386' Check what kernel is your system running: # uname -a Linux hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux The kernel packages for running system (not installer) are: linux-image-*** not kernel-image-*** You can chek what is installed by: dpkg -l|grep linux > And I read that I need a '+deb8u2' kernel? > > Can someone explain to me what to do next? I have the assumption that a > 'apt-get install "name-of-required-kerne-package"' would be sufficient? apt-get update; apt-get upgrade followed by reboot should be sufficient. -- Best Regards Vladislav Kurz
Re: Handling of "malware" in Debian
On 11/09/16 15:59, Paul Wise wrote: > On Wed, Nov 9, 2016 at 10:54 PM, W. Martin Borgert wrote: > >> What do you think? > > A new empty package would be better than just removing it but the user > would not get any notification about why the functionality is gone nor > any information about the privacy violations they were subject to. > User info could be provided in NEWS.Debian - to be shown via apt-listchanges. Which I hope is mailed if someone uses unattended upgrades. -- Best regards Vladislav Kurz
Re: [SECURITY] [DSA 3567-1] libpam-sshauth security update
On Friday 06 of May 2016 Jason Fisher wrote: > Unsubscribe Sorry, I could not resist... http://xkcd.com/1675/
Re: [SECURITY] [DSA 3548-2] samba regression update [SA-DEBIAN #61116]
On Thursday 14 of April 2016 you wrote: > - > Debian Security Advisory DSA-3548-2 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > April 14, 2016https://www.debian.org/security/faq > - > > Package: samba > Debian Bug : 820947 > > The upgrade to Samba 4.2 issued as DSA-3548-1 introduced a packaging > regression causing an additional dependency on the samba binary package > for the samba-libs, samba-common-bin, python-samba and samba-vfs-modules > binary packages. Updated packages are now available to address this > problem. Thanks for the quick fix, during the update I got the following error: Unpacking samba-libs:amd64 (2:4.2.10+dfsg-0+deb8u2) over (2:4.2.10+dfsg-0+deb8u1) ... dpkg: error processing archive /var/cache/apt/archives/samba- libs_2%3a4.2.10+dfsg-0+deb8u2_amd64.deb (--unpack): trying to overwrite '/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0', which is also in package samba 2:4.2.10+dfsg-0+deb8u1 dpkg-deb: error: subprocess paste was killed by signal (Broken pipe) Subsequent run of apt-get -f install, finished successfully -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: i...@webstep.net Tel: 840-840-700, +420.548214711 Obchodní podmínky: https://zkrat.to/op
Re: Call for testing: upcoming samba security update
Hi,
I have noticed that samba-common-bin now depends on samba. It didn't before
the upgrade. Is there any special reason for that? I just need nmblookup on
some servers (and smbclient/cifs) but not the server package.
--
Best Regards
Vladislav Kurz
Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)
On Monday 11 of April 2016 Elmar Stellnberger wrote: >Nonetheless the last time I had connected via a similar but more > suspicious VPN to France I got a similar login attempt via my Google > account from Vienna, Austria while I was staying in Carinthia and > connected via Klagenfurt/Austria (where my ISP links to). That time > there was definitely reason to believe in an attack of my Google account > and I had my password changed. Hi, I would not worry myself, if the connection is reported to be from Vienna instead of Klagenfurt - it is still from the same country, and GeoIP databases are IMHO not very precise. But I cannot resist one question - why you use suspicious VPNs at all? -- Best Regards Vladislav Kurz
Re: Changing the "Reply-To:" for debian-security-announce
Hi all, what about pointing reply-to to address that will automatically unsubscribe? Most of replies are either unsubscribe attempts or misconfigured vacation autoresponders. I know it maybe pretty harsh, but will do away with trolls ;) -- Regards Vladislav Kurz
Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
On Wednesday 09 of April 2014 13:26:06 bsod wrote: > Am 2014-04-09 12:42, schrieb Rob van der Putten: > > According to a post on slashdot SSH is not effected. I don't know if > > this is correct. > > (Open-)SSH is not affected as it does not use openssl at all. Should be > the same for other SSH daemons like dropbear as they are not using TLS > in SSH Protocol. So, why does openssh-server depend on libssl ? ldd /usr/sbin/sshd says it needs libcrypto.so, which is part of openssl? -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 Obchodní podmínky: http://zkrat.to/op === www.webstep.net === vladislav.k...@webstep.net ===
Re: iptable mac address not showing in log
On Tuesday 19 of February 2013, sectech wrote: > Hi, I need the mac address of the originating request of out going packets. > Im not sure if im missing something or maybe debian squeeze does not have > this functionality? But here is my iptable command and im logging ALL NEW > requests out-going (INFO) on eth0 > iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -j LOG --log-level 6 > iptables -A OUTPUT -o eth0 -p udp -m state --state NEW -j LOG --log-level 6 > > Feb 18 22:17:32 my-debian kernel: [50421.784255] IN= OUT=eth0 SRC=1.1.1.1 > DST=2.2.2.2 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=13743 PROTO=UDP SPT=1765 > DPT=53 LEN=61 Hi, if you are logging in OUTPUT chain, then the MAC adress is the address of your computer. Only packets generated by the computer itself are logged. In this case see "ifconfig eth0" to get your MAC address. Perhaps you wanted to log outgoing packets in the FORWARD chain? -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === vladislav.k...@webstep.net === -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201302191024.03864.vladislav.k...@webstep.net
Re: [SECURITY] [DSA 2318-1] cyrus-imapd-2.2 security update
On Friday 07 of October 2011, Nico Golde wrote: > -- > Debian Security Advisory DSA-2318-1secur...@debian.org > http://www.debian.org/security/ Nico Golde > Oct 6, 2011 http://www.debian.org/security/faq > -- > > Package: cyrus-imapd-2.2 > Vulnerability : multiple > Problem type : remote > Debian-specific: no > Debian bug : none > CVE IDs: CVE-2011-3372 CVE-2011-3208 Hello everybody, i wonder if there is something wrong with this DSA. I manage a lot of servers with cyrus, but the update is available only on one of them (squeeze, amd64), and not on the others (squeeze/lenny, i386). I do not use nntp, so I feel safe, but it might indicate some build problems. -- Best Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201110101204.21526.vladislav.k...@webstep.net
Long Exim break-in analysis
Hello all, first, I apologize for a long mail. Don't read if you don't like long e-mails. But as Thorsten was already affected by exim exploit I thought this might be interesting for all debian-exim users: one of my friends asked me for help with his server, and I discovered that it was rooted through unpatched exim. System is being reinstalled now, and I decided to write something about this exploit. I hope you will find the info interesting. It won't be anything exact, because the machine is offline now, but anyway here it goes: First sign was that mail did not get through. Server was overloaded and a process named syslogd was using most of CPU. On the first sight "top" was looking a bit different than usual. ps showed processes /sbin/syslogd and syslogd (without path). First one was ok, the second one was doing something nasty and using the CPU. /proc/PID/exe was symlink to perl... After I killed (-9) this rogue syslog, exim spawned new one! So I killed them both. There were some interesting files in /var/spool/exim4/ - two configs that download binary named setuid into /var/spool/exim4/ and make it setuid and try to run it. The other config did the sam ine /var/spool/exim/. I think it was the same as shown on exim mailing list. However /var/ was mounted nosuid so it failed (few days ago). But the bad guy was able to get shell as debian-exim user, and compiled another binary. He left us the source ;) - it was supposed to install his public key into /root/.ssh/authorized_keys. I checked this file and found there a public key but it was different then the one in /var/spool/exim/. Removed. It seems that the first attack was uncuccessfull, but then some other attacker found that /tmp was not on separate partition, and setuid worked there. He left some evidence in /var/spool/exim/.bash_history - downloading and running some rootkit. Further search for suspicious processes found sshd on port above 55000. Killed immediately. Then I started to get annoyed by ls, because it was spewing errors. It was because I have alias l='ls --color=auto'. Pure ls was ok. So I started looking for modified binaries, and found that some are owned by UID=122 which was not present in /etc/passwd: find /bin/ /sbin/ /usr/bin/ /usr/sbin/ -not -user root -ls -rwxr-xr-x 1 122 114 54152 Dec 4 2005 /bin/netstat -rwxr-xr-x 1 122 114 39696 Jan 30 2007 /bin/ls -rwxr-xr-x 1 122 114 62920 Sep 13 2006 /bin/ps -rwxr-xr-x 1 122 114212747 Jan 30 2007 /sbin/ttyload -rwxrwxr-x 1 122 114 93476 Jan 30 2007 /sbin/ttymon -rwxr-xr-x 1 122 114 31504 Dec 4 2005 /sbin/ifconfig -rwxr-xr-x 1 122 114 33992 Sep 13 2006 /usr/bin/top -rwxr-xr-x 1 122 114 31452 Jan 30 2007 /usr/bin/md5sum -rwxr-xr-x 1 122 114 12340 Aug 9 2006 /usr/bin/pstree -rwxr-xr-x 1 122 114 59536 Jul 30 2007 /usr/bin/find so now it explained why ls and top behaved differently than usual. Of course we cannot trust these results because ls and find are modified as well... Further idea was, they must have done something to start after reboot, check /etc/inittab and there was something like this: # standard tty stuff 0:2345:respawn:/sbin/ttyload nice comment eh? Intersting is that mtime was probably preserved, but ctime was recent (few hours). ps did not show that ttyload is running, but killall killed something anyway ;) because on first run it did not complain, but second time it said: no process killed. Then I compared netstat (hacked) with nmap from outside, and found that lots of ports are missing. Apache is running but not listening according to netstat... so there might be further backdoors hidden. Thats almost all. Machine is now offline, replaced by another one. I'll try to get the hacked machine booted from live-cd, so I can examine it with trustworthy tools, and if i find more interesting thing i'll post a follow up. Lessons learned: 1. subscribe to DSA and run apt-get 2. /var/spool, /var/tmp, /tmp and other places where unprivileged users can write, should be mounted nosuid and even better noexec. It seems that this could prevent the attack, or at least make it much more difficult. As for point 2. it's a pity that dpkg is using /tmp and /var/lib/dpkg/ to run scripts during installation and removal of packages. It would be nice if whole /var could be mounted noexec. That's all folks -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012212307.37241.vladislav.k...@webstep.net
Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
On Friday 17 of December 2010, Paul Stewart wrote: > I have a question related to this security announcement and hope it's > appropriate to ask here... > > I just recently installed a couple of machines with Debian 5 using > netinstall. They are running Exim which reports as 4.69 in the banner. > > I have ran aptitude update/upgrade and not seeing anything new for Exim - > am I safe to assume I'm up to date and not vulnerable to this security > issue? Sorry, just started using Debian - been at least 5 years since I > ran it and wanted to make sure If you have enabled the security updates repository then you should be OK. Check your /etc/apt/sources.list if it contains this line: deb http://security.debian.org/ lenny/updates main contrib non-free And check version of exim4 using "dpkg -l exim*". It should be: 4.69-9+lenny1. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171345.33508.vladislav.k...@webstep.net
Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote: > On 12/17/2010 12:35 PM, Vladislav Kurz wrote: > > On Friday 17 of December 2010, Thorsten Göllner wrote: > >> Hi, > >> > >> The other point is that pstree reports a process "zinit" I never saw in > >> the past: > >> > >> > >> > >> But I do not have any idea what it is. And I can not see the process > > > >> with "ps": > > If pstree shows zinit and ps does not, it might mean that you are already > > rooted (owned, hacked, cracked, etc), and your ps binary was modified to > > hide the presence of rootkit named zinit. > > Good point. > > Try to check the md5sum of ps: > > # apt-get install debsums > # debsums procps > just for reference - md5sum of /bin/ps on i386/lenny (checked from freshly downloaded package) a6094706266c8ec3b068cf964824afee /bin/ps -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171317.52933.vladislav.k...@webstep.net
Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
On Friday 17 of December 2010, Thorsten Göllner wrote: > Hi, > > I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver > mails. I always get the message, that the mail is not routeable. I only > used "dpkg-reconfigure exim4-config" without touching one config file by > hand. I detected a log message (panic log) which says, that there was a > "too large message". Since that point exim4 stopped working. The last exploit of exim4 is based on too large messages causing buffer owerflows that can lead to root privileges. (Sorry for simplification, full details are on exim mailing list). > The other point is that pstree reports a process "zinit" I never saw in > the past: > > > > But I do not have any idea what it is. And I can not see the process > with "ps": > If pstree shows zinit and ps does not, it might mean that you are already rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide the presence of rootkit named zinit. > Do I have a security issue here? Any other idea? IMHO yes, you have a security issue. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171235.51130.vladislav.k...@webstep.net
[Seznam #76865] [Support] [SECURITY] [DSA-2068-1] New python-cjson packages fix denial of service
On Thursday 15 of July 2010, Radovan Vrzdiak wrote: > Pozadavek prijaty se subjectem "[SECURITY] [DSA-2068-1] New python-cjson > packages fix denial of service" byl uzavren/vyresen. > > Na tento email prosim neodpovidejte, pokud si neprejete v reseni tohoto > pozadavku pokracovat. Dekujeme. Vazeni, Nejen ze si nepreji aby ste pokracovali v resni tohoto pozadavku, ale hlavne si nepreji aby ste o tom informovali tisice lidi z celeho sveta na mailing listu debian-secur...@lists.debian.org. > -- > Radovan Vrzdiak > System support > Seznam.cz, a.s. > > fax: +420 234 694 115 > supp...@firma.seznam.cz > http://www.seznam.cz -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === vladislav.k...@webstep.net === -- Radovan Vrzdiak System support Seznam.cz, a.s. fax: +420 234 694 115 supp...@firma.seznam.cz http://www.seznam.cz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/rt-3.6.7-3619-1279265834-1226.76865-6...@seznam.cz
security support for etch?
Hello,
I'd like to ask the security team, how long do they plan to support etch
(oldstable)? I remember that when etch was released, they announced support
for sarge will continue for one year. I haven seen such announcement when
lenny was released.
Anyway big thanks to all in the security team for their valuable work.
--
Regards
Vladislav Kurz
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: /dev/shm/r?
On Monday 01 of June 2009, Johann Spies wrote: > I am a bit worried that my computer have been compromised. > > Rkhunter reported: > > [10:35:47] Warning: Suspicious file types found in /dev: > [10:35:47] /dev/shm/r: ASCII text > [10:35:48] Checking for hidden files and directories [ Warning > ] > [10:35:48] Warning: Hidden directory found: /etc/.java > [10:35:48] Warning: Hidden directory found: /dev/.udev > [10:35:48] Warning: Hidden directory found: /dev/.initramfs > > I think the last three lines are not problematic but in /dev/shm/r I found: > > spawn /bin/bash > interact > > Do I have reason to be worried? Well, this really looks suspicious. Look for unexpected processes running, open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances are that the attacker did not gain root yet. But he might have shell listening on some port and trying hard to get root using some local exploit. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
On Tuesday 10 of February 2009, Wade Richards wrote: > On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote: > > Bernd Eckenfels skrev: > > > In article you wrote: > > >> Use a VPN or an SSH tunnel to a trusted source. > > > > > > A very neat trick is using dynamic port forwarding of SSH (-D 1080). > > > You only need to login to any SSH Server and enable the auto > > > forwarding. Then you can enter the SSH client as a SOCKS proxy server > > > and you are done (for surfing). > > > > You could use the -w option in newer ssh server versions to tunnel > > through virtual tun devices =) > > One problem with tunnels is that you can accidently not use the tunnel. > > E.g. I have eth0 which is connected to the insecure network, and > my encrypted tunnel to a secure network. > > Although the tunnel is available, the unsecure eth0 is still also > available. I need to correctly set up the SOCKS proxy or set up the > routing tables, or do something to be sure that all my network traffic > is going through the tunnel and not just directly to the unsecure eth0. > There's no easy way to tell if you're doing it right, either, since the > web looks basically the same from the unsecure network as from the secure > one. You can tell by checking routing tables, or visiting a web page that shows your IP. And you should know the IP of your tunnel server > The Cisco VPN I use on my employer's Windows machine has an interesting > feature: it completely hides the unencrypted network. Once I create the > VPN tunnel, my machine releases it's local IP address and there is no > way for any network connections (other than the tunnel, of course) to go > over the unencrypted device. It is as if that device is disabled. > > This makes it idiotproof, which is an important but often overlooked > aspect of security. > > So, is is possible to do that sort of thing with a Linux laptop? OpenVPN can do that as well - look for option --redirect-gateway -- regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
On Tuesday 08 of July 2008, Florian Weimer wrote: > * Mert Dirik: > >> PowerDNS is not available on all architectures, and Unbound and tinydns > >> are not part of etch. > >> > >> So it's lack of alternatives, more or less. > > > > I don't really know much about these things but can't maradns > > MaraDNS could be used, I think. However, I'm not familiar with that > implementation. > > > or dnsmasq be used with same purpose? > > dnsmasq needs to be patched first. AFAIK dnsmasq if forwarding-only resolver, it needs some real DNS server to send queries to be resolved. So it should be OK. Or am I completely wrong? Can someone confirm or oppose this? -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Find installed contrib and non-free packages
On Thursday 12 of June 2008, Martin Bartenberger wrote: > Hi, > > just a few days ago I've read at > http://www.debian.org/security/faq.en.html#contrib that contrib and > non-free packages are not supported by the Debian security team. > > Now I want to find out which contrib and non-free packages are installed > on my servers. Is there any special command or script for this or do I > have to write one? Hi, I use this method: 1. remove contrib and non-free from /etc/apt/sources.list 2. run dselect (update, select) and you will see all contrib and non-free packages as obsolete/local packages. Maybe aptitude will do the same, but I don't use it ;-) -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: lm-sensors update for sarge
On Tuesday 27 of May 2008, dann frazier wrote: > On Mon, May 26, 2008 at 03:56:21PM +0200, Vladislav Kurz wrote: > > Hello all, > > > > A few days ago I was surprised that there is an update for lm-sensors > > (and libsensors3) for sarge. It is available from security.debian.org. I > > know that sarge does not have any security support any more, and there > > was no DSA about lm-sensors this year. So I ask - does anyone know what > > is going on? > > lm-sensors was updated recently for compatability with the 2.4.27 > kernel update which had an ABI change (DSA 1503). Aurelien Jarno > discovered that this updated had a problem (#475164) that resulted in > missing binary modules. It is true that sarge is no longer security > supported, but since this was a regression caused by a security update > we went ahead and released the fix. > > -- > dann frazier Thanks for explanation. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
lm-sensors update for sarge
Hello all, A few days ago I was surprised that there is an update for lm-sensors (and libsensors3) for sarge. It is available from security.debian.org. I know that sarge does not have any security support any more, and there was no DSA about lm-sensors this year. So I ask - does anyone know what is going on? -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ssh-vulnkey and authorized_keys
Hello all, thanks for the quick response to the SSL bug and for providing ssh-vulnkey and dokuwd.pl. SSH-VULNKEY produces funny output when processing authorized_keys with additional options like from="host", command="something to do", no-agent-forwarding, etc... Instead of the file name it prints these extra options. It is hard to find such files then, especialy if they are not in regular user homes but used for special purposes (backups, monitoring) and located on unusual places. It would be also helpful to print the line as dokuwd.pl does. Is there any repository with newer versions of ssh-vulnkey or dokuwd.pl ? -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
On Tuesday 13 of May 2008, Dominic Hargreaves wrote: > On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer wrote: > > <http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc> > > (OpenPGP signature) > > This URL 404s (but the tool URL doesn't... possibly encouraging bad > practice in running unverified code) I seems to be another typo. Correct URL is apparently this: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.sig > > Instructions how to implement key rollover for various packages will be > > published at: > > > > <http://www.debian.org/security/key-rollover/> > > This URL 404s too. They state it WILL be published, but didn't say when... > Thanks for your efforts on this issue so far - obviously a bit of a > nightmare. > > Cheers, > Dominic. > > -- > Dominic Hargreaves | http://www.larted.org.uk/~dom/ > PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === [EMAIL PROTECTED] === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernel upgrade for 3Ware Driver issues?
On Wednesday 23 of April 2008, dann frazier wrote: > On Tue, Apr 22, 2008 at 04:45:53PM -0600, Michael Loftis wrote: > > --On April 22, 2008 11:21:25 PM +0200 Florian Weimer <[EMAIL PROTECTED]> > > > > wrote: > >> I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA > >> controllers is pretty small, otherwise this bug would have been noticed > >> earlier. So the sky is not falling. > >> > >> Technically, this is not a security bug. > > > > It definitely affects non-64bit systems too, contrary to 3Ware's claims. > > We had corruption on a 32bit system, which is what prompted us to start > > figuring it out. > > > > And I agree, technically it isn't, but security is one of the few ways to > > get updates into the distribution that are NMU. > > But that doesn't make them security issues. Don't get me wrong, I'd be > all for a more fluid update process for non-security/critical issues, > but it doesn't exist at the moment. The security team controls what > goes out as a security update, and we're not going to get the security > team to release a security update for a non-security issue. > > -- > dann frazier Hello, This bight be a little off-topic, but I'd like to know if there is a definition of what is a "security issue" ? Once I learned that security consists of confidentiality, integrity and availability. And data corruption destroys integrity and availability. -- Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues
On Monday 03 of March 2008, Martin Geier wrote: > Hi > > On Fri, Feb 29, 2008 at 05:06:18PM +0100, Vladislav Kurz wrote: > [snip] > > > Yesterday I have upgraded and rebooted couple of machines that still use > > kernel version 2.4.27, and one of them crashed after 5 and half hours. > > It still responded to pings, maybe routing and firewalling as well, but > > SSH and other services were unavailable. This is the only machine still > > using ext2 filesystem. > > This maybe a similar problem which I had some time ago (on a PPC), so > please try the following: > Assuming that the machine is "dead", try killing all tasks via SysRq (see > Documentation/sysrq.txt of the linux-kernel-source) and look if you get > a login-prompt again. > > Does this work? System reacts to Alt-sysrq-e by saying "SysRq: terminate all tasks" but nothing else happens. Even Alt-sysrq-i says kill all tasks but it does not help. However alt-sysrq-b rebooted the system :-) -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === [EMAIL PROTECTED] === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues
On Friday 29 of February 2008, Desai, Jason wrote: > I have noticed very similar things with one of my boxes which was > upgraded to the latest 2.4.27 kernel. Sometimes, it would even hang > when running depmod from the modutils init script when booting. I did > some troubleshooting, and found that the older kernel boots fine. > Moving some modules out to a different directory allowed the system to > boot. But it would eventually hang after a few hours, sometimes after > only minutes. Like you indicated - ping would work. But there was > nothing in the logs on the screen for me. Yes that looks exactly the same as on my server. No log, nothing on console. > I had other systems upgraded to this kernel too, and they seem ok. Most > use ext3. However one does use ext2, and so far it has been ok. The > system giving me problems is a VM running inside of VMWare Server. I > was thinking the issue may have been with VMWare. My server does not use VMWare so I think we can ignore that. -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === [EMAIL PROTECTED] === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues
Hello all, I wanted to file this through BTS but I'm not sure which package is the right place ot file kernel related bugs. Therefore I post here. It seems that last upgrade of kernel 2.4.27 is causing system crash and maybe even filesystem corruption at least with ext2 filesystem. Yesterday I have upgraded and rebooted couple of machines that still use kernel version 2.4.27, and one of them crashed after 5 and half hours. It still responded to pings, maybe routing and firewalling as well, but SSH and other services were unavailable. This is the only machine still using ext2 filesystem. After rebooting i worked fine until I tried to access some parts of filesystem. I susected problems with hard disk but there were no messages on console (I expected I/O errors and such). Memory was fine as well. Checking filesystem with read-olny badblock scan "fsck -c /dev/hda2" reported everything OK. But at the moment I tried to copy (rsync, tar) the filesystem to new disk it crashed again. Copying the filesystem with dd was fine, but when i loop-mounted the image and tried to copy from there, system crashed again. So I ruled out hardware problems and tried to reboot with old kernel, and to my surprise I could read the "broken" filesystem without any problems. With old kernel I was able to rsync files to new hard drives, so the system is up and running now. (Using old kernel.) I can provide filesystem image of "broken" /usr partition for analysis. All my other servers running 2.4.27-4 kernels use ext3 filesystems seem to be OK, but I'm quite afraid if it might happen on ext3 as well. These bugfixes seem to be the only ones that have to do something with ext2/ext3. Could someone look into this issue? I will try to be as heplful as possibe debugging this stuff. > CVE-2006-6053 > > LMH reported a potential local DoS which could be exploited by a > malicious user with the privileges to mount and read a corrupted ext3 > filesystem. > > CVE-2006-6054 > > LMH reported a potential local DoS which could be exploited by a > malicious user with the privileges to mount and read a corrupted ext2 > filesystem. > Anyway, big thanks to the security team for the work that thay do. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables and nmap
On Thursday 07 June 2007 15:51, Joan Hérisson wrote: > Hello, > > Config: > - Debian 2.4.18 > - iptables with many rules > > Problems: > - I have installed a tomcat 5.5 server. The server is > unreachable > (connection failed from locahost or another host on my local network). > > Tries: > - I have to open port 8080. I have this rule in > /etc/init.d.firewal-start : > "iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed" > where eth0 is the way toward the internet. > So I added this rule : > "iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed" > where eth1 is the way toward my local network Hello, it seems that you are using some firewall script which uses a lot of user defined chains: tcp_packets, allowed. Without understanding which packets get filtered by chain tcp_packets and what is happening in chain allowed, it is hard to guess what's wrong. Try this: iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT I suspect that you are using some firewall script made by someone else, and that script is too complicated to understand for anyone else than author. IMHO it's always better to make your own script that has only the rules you really need and understand. > Results: > - The server is still unreachable. > - When I do nmap localhost, I have port 80 open but not 8080. > - When I comment out the line for port 80 in firewall-start and > I > restart firewall, I do nmap localhost, port 80 is still open. > > I do not find the link between iptables rules and nmap. > Some ideas ? nmap shows you the reality defined by iptables. If nmap shows something different than you expected, it just means you do not understand how iptables work. You should visit http://www.netfilter.org/ and read man iptables. -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === [EMAIL PROTECTED] === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Web directories attacked with bad .htaccess
On Friday 27 January 2006 11:59, Ramon Acedo wrote:
> Hello,
Hello
> As a measure I changed 777 to www-data owner + 755:
>
> find . -perm 777 -exec chmod 755 {} \; -exec chown www-data {} \;
>
> Where . was DocumentRoot
chown www-data is IMHO bad idea. Apache/CGI/PHP will still have full
(read/write) access to web content. (Unless you use suexec or something
similar.) Web pages should be owned by some normal unprivileged user,
preferably the one who reads "webmaster" e-mail and chmod 644 (or 755 for
directories)
--
Regards
Vladki
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security risks due to packages that are no longer part of Debian?
On Monday 11 of July 2005 19:10, Christian Hammers wrote: > Hello > > If a User upgrades his woody system to sarge and one package that has > been part of woody is now no longer part of Debian nor being superseded by > another package, will apt-get warn the user that this package is a > potential security risk as Debian does not monitor nor provide fixes for > reported security issues in this package? I use dselect and it shows obsolete/local packages section at the top of package listing. By obsolete/local it means those that are not downloadable from any source defined in /etc/apt/sources.list Is that what you need? -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address : Turgenevova 18, 61800 Brno, CZ, tax-id: 289-25528262 office : Veveri 9, 60200 Brno, CZ, tel & fax: +420 541 128 341 === www.webstep.net === [EMAIL PROTECTED] === pgpgpgYIBqfxJ.pgp Description: PGP signature
Re: local root exploit
On Monday 10 of January 2005 15:29, Jacques Lav!gnotte wrote: > On Mon, 10 Jan 2005 15:19:33 +0100 > > Vladislav Kurz <[EMAIL PROTECTED]> wrote: > > mount -t tmpfs tmpfs /dev/shm > > Only root can do that. But it can be already mounted, and the exploit can be modified to use any writeable directory instead. > > Jacques -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
On Fri, 07 Jan 2005 23:55:15 +0100, Arnaud Loonstra <[EMAIL PROTECTED]> wrote: > Just tried the newly found exploits on a Woody system, it doesn't work... > I get: > [+] SLAB cleanup > child 1 VMAs 143 > [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 > [+] vmalloc area 0xc500 - 0xc9d17000 > [-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (No such file or > directory) > Killed > > http://isec.pl/vulnerabilities/isec-0021-uselib.txt > > Any others any other findings? > > A. Loonstra Hello, I have tried the exploit and it works! It just needs to mount the /dev/shm filesystem, or you can modify the exploit to put temporary file into /tmp/ instead of /dev/shm/ mount -t tmpfs tmpfs /dev/shm After that: $ ./elflbl [+] SLAB cleanup child 1 VMAs 65527 child 2 VMAs 9756 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 [+] vmalloc area 0xc440 - 0xc8401000 Wait... / [+] race won maps=10368 expanded VMA (0xbfffc000-0xe000) [!] try to exploit 0xc48da000 [+] gate modified ( 0xffec90f4 0x0804ec00 ) [+] exploited, uid=0 sh-2.05a# whoami root sh-2.05a# kerenels tested: kernel-image-2.4.18-1-586tsc 2.4.18-13.1 kernel-image-2.4.18-bf2.4 (left from installation) compiled with: gcc-2.95 2.95.4-11woody1 So, now the qustion is, if backporting the patch is on the way and when we can expect a DSA. -- Best regards Vladislav Kurz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Running/Compiling latest snort on potato
Hello, --- Shane Machon <[EMAIL PROTECTED]> wrote: > I dont have to have 1.81 of snort (would be nice > though!), just db > support (1.7 or above) > > Any success stories? I used compiled from sources snort for 2 month. Then, I decide to add db support and try to recompile it. But it depends on so many libs, that I decide better get binary package. Also, I decide make snort-box as clean mashine with only necessary features, because it used only for intrusion detection (dedicated box). 1. Install base Debian system and select no additional packages. 2. Download and manually (with dpkg) install necessary packages (see list installed packages below). 3. Download and install ACID (Analysis Console for Intrusion Databases). Downloaded packages and tgz: ACID-0.9.5b9.tar.gz adduser_3.39_all.deb apache-common_1.3.20-1_i386.deb apache_1.3.20-1_i386.deb debconf_0.9.77_all.deb dialog_0.9a-20010527-1_i386.deb fileutils_4.1-2_i386.deb klogd_1.4.1-2_i386.deb libbz2-1.0_1.0.1-10_i386.deb libc6_2.2.3-6_i386.deb libdb2_2.7.7-8_i386.deb libdbd-mysql-perl_1.2216-2_i386.deb libdbi-perl_1.18-1_i386.deb libexpat1_1.95.1-5_i386.deb libgdbmg1_1.7.3-27_i386.deb libmm11_1.1.3-4_i386.deb libmysqlclient10_3.23.39-3_i386.deb libncurses5_5.2.20010318-2_i386.deb libpcap0_0.6.2-1_i386.deb libpcre3_3.4-1_i386.deb libreadline4_4.2-3_i386.deb libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb logrotate_3.5.4-2_i386.deb mime-support_3.11-1_all.deb mysql-client_3.23.39-3_i386.deb mysql-common_3.23.39-3.1_all.deb mysql-server_3.23.39-3_i386.deb perl-base_5.6.1-5_i386.deb perl-modules_5.6.1-5_all.deb perl_5.6.1-5_i386.deb php4-mysql_4.0.6-4_i386.deb php4_4.0.6-1_i386.deb php4_4.0.6-4_i386.deb snort_1.7-9_i386.deb sysklogd_1.4.1-2_i386.deb zlib1g_1.1.3-15_i386.deb Installed packages (dpkg -l): ii adduser3.39 ii ae 962-26 ii apache 1.3.20-1 ii apache-common 1.3.20-1 ii apt0.3.19 ii base-config0.33.2 ii base-files 2.2.0 ii base-passwd3.1.10 ii bash 2.03-6 ii bsdutils 2.10f-5.1 ii console-data 1999.08.29-11. ii console-tools 0.2.3-10.3 ii console-tools- 0.2.3-10.3 ii cron 3.0pl1-57.2 ii debconf0.9.77 ii debianutils1.13.3 ii dialog 0.9a-20010527- ii diff 2.7-21 ii dpkg 1.6.15 ii e2fsprogs 1.18-3.0 ii elvis-tiny 1.4-11 ii fbset 2.1-6 ii fdflush1.0.1-5 ii fdutils5.3-3 ii fileutils 4.1-2 ii findutils 4.1-40 ii ftp0.10-3.1 ii gettext-base 0.10.35-13 ii grep 2.4.2-1 ii gzip 1.2.4-33 ii hostname 2.07 ii isapnptools1.21-2 ii joe2.8-15.2 ii klogd 1.4.1-2 ii ldso 1.9.11-9 ii libbz2-1.0 1.0.1-10 ii libc6 2.2.3-6 ii libdb2 2.7.7-8 ii libdbd-mysql-p 1.2216-2 ii libdbi-perl1.18-1 ii libexpat1 1.95.1-5 ii libgdbmg1 1.7.3-27 ii libmm111.1.3-4 ii libmysqlclient 3.23.39-3 ii libncurses55.2.20010318-2 ii libnewt0 0.50-7 ii libpam-modules 0.72-9 ii libpam-runtime 0.72-9 ii libpam0g 0.72-9 ii libpcap0 0.6.2-1 ii libpcre3 3.4-1 ii libpopt0 1.4-1.1 ii libreadline4 4.2-3 ii libssl09 0.9.4-5 ii libstdc++2.10 2.95.2-13 ii libstdc++2.10- 2.95.4-0.01070 ii libwrap0 7.6-4 ii lilo 21.4.3-2 ii locales2.1.3-18 ii login 19990827-20 ii makedev2.3.1-46.2 ii mawk 1.3.3-5 ii mbr1.1.2-1 ii mime-support 3.11-1 ii modutils 2.3.11-13.1 ii mount 2.10f-5.1 ii mysql-client 3.23.39-3 ii mysql-common 3.23.39-3.1 ii mysql-server 3.23.39-3 ii ncurses-base 5.0-6.0potato1 ii ncurses-bin5.0-6.0potato1 ii netbase3.18-4 ii passwd 19990827-20 ii pciutils 2.1.2-2 ii perl 5.6.1-5 ii perl-base 5.6.1-5 ii perl-modules 5.6.1-5 ii php4 4.0.6-4 ii php4-mysql 4.0.6-4 ii ppp2.3.11-1.4 ii pppconfig 2.0.5 ii procps 2.0.6-5 ii psmisc 19-2 ii pump 0.7.3-2 ii sed3.02-5 ii setserial 2.17-16 ii shellutils 2.0-7 ii slang1 1.3.9-1 ii snort 1.7-9 ii ssh1.2.3-9.3 ii sysklogd 1.4.1-2 ii syslinux 1.48-2 ii sysvinit 2.78-4 ii tar1.13.17-2 ii tasksel1.0-10 ii tcpd 7.6-4 ii telnet 0.16-4potato.1 ii textutils 2.0-2 ii update 2.11-1 ii util-linux 2.10f-5.1 ii zlib1g 1.1.3-15 This linux-box has 3 network interfaces: 1 - connected to LAN (used to view results and mantain box) 2,3 - sensors without ip-addresses assigned (simple ifconfig eth0 up, for snort this is enough) attached to 2 different segments of DMZ. Very stable desision, I have no problem with it. ===== Regards, Vladislav. ---> http://cybervlad.port5.com _
Re: Running/Compiling latest snort on potato
Hello, --- Shane Machon <[EMAIL PROTECTED]> wrote: > I dont have to have 1.81 of snort (would be nice > though!), just db > support (1.7 or above) > > Any success stories? I used compiled from sources snort for 2 month. Then, I decide to add db support and try to recompile it. But it depends on so many libs, that I decide better get binary package. Also, I decide make snort-box as clean mashine with only necessary features, because it used only for intrusion detection (dedicated box). 1. Install base Debian system and select no additional packages. 2. Download and manually (with dpkg) install necessary packages (see list installed packages below). 3. Download and install ACID (Analysis Console for Intrusion Databases). Downloaded packages and tgz: ACID-0.9.5b9.tar.gz adduser_3.39_all.deb apache-common_1.3.20-1_i386.deb apache_1.3.20-1_i386.deb debconf_0.9.77_all.deb dialog_0.9a-20010527-1_i386.deb fileutils_4.1-2_i386.deb klogd_1.4.1-2_i386.deb libbz2-1.0_1.0.1-10_i386.deb libc6_2.2.3-6_i386.deb libdb2_2.7.7-8_i386.deb libdbd-mysql-perl_1.2216-2_i386.deb libdbi-perl_1.18-1_i386.deb libexpat1_1.95.1-5_i386.deb libgdbmg1_1.7.3-27_i386.deb libmm11_1.1.3-4_i386.deb libmysqlclient10_3.23.39-3_i386.deb libncurses5_5.2.20010318-2_i386.deb libpcap0_0.6.2-1_i386.deb libpcre3_3.4-1_i386.deb libreadline4_4.2-3_i386.deb libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb logrotate_3.5.4-2_i386.deb mime-support_3.11-1_all.deb mysql-client_3.23.39-3_i386.deb mysql-common_3.23.39-3.1_all.deb mysql-server_3.23.39-3_i386.deb perl-base_5.6.1-5_i386.deb perl-modules_5.6.1-5_all.deb perl_5.6.1-5_i386.deb php4-mysql_4.0.6-4_i386.deb php4_4.0.6-1_i386.deb php4_4.0.6-4_i386.deb snort_1.7-9_i386.deb sysklogd_1.4.1-2_i386.deb zlib1g_1.1.3-15_i386.deb Installed packages (dpkg -l): ii adduser3.39 ii ae 962-26 ii apache 1.3.20-1 ii apache-common 1.3.20-1 ii apt0.3.19 ii base-config0.33.2 ii base-files 2.2.0 ii base-passwd3.1.10 ii bash 2.03-6 ii bsdutils 2.10f-5.1 ii console-data 1999.08.29-11. ii console-tools 0.2.3-10.3 ii console-tools- 0.2.3-10.3 ii cron 3.0pl1-57.2 ii debconf0.9.77 ii debianutils1.13.3 ii dialog 0.9a-20010527- ii diff 2.7-21 ii dpkg 1.6.15 ii e2fsprogs 1.18-3.0 ii elvis-tiny 1.4-11 ii fbset 2.1-6 ii fdflush1.0.1-5 ii fdutils5.3-3 ii fileutils 4.1-2 ii findutils 4.1-40 ii ftp0.10-3.1 ii gettext-base 0.10.35-13 ii grep 2.4.2-1 ii gzip 1.2.4-33 ii hostname 2.07 ii isapnptools1.21-2 ii joe2.8-15.2 ii klogd 1.4.1-2 ii ldso 1.9.11-9 ii libbz2-1.0 1.0.1-10 ii libc6 2.2.3-6 ii libdb2 2.7.7-8 ii libdbd-mysql-p 1.2216-2 ii libdbi-perl1.18-1 ii libexpat1 1.95.1-5 ii libgdbmg1 1.7.3-27 ii libmm111.1.3-4 ii libmysqlclient 3.23.39-3 ii libncurses55.2.20010318-2 ii libnewt0 0.50-7 ii libpam-modules 0.72-9 ii libpam-runtime 0.72-9 ii libpam0g 0.72-9 ii libpcap0 0.6.2-1 ii libpcre3 3.4-1 ii libpopt0 1.4-1.1 ii libreadline4 4.2-3 ii libssl09 0.9.4-5 ii libstdc++2.10 2.95.2-13 ii libstdc++2.10- 2.95.4-0.01070 ii libwrap0 7.6-4 ii lilo 21.4.3-2 ii locales2.1.3-18 ii login 19990827-20 ii makedev2.3.1-46.2 ii mawk 1.3.3-5 ii mbr1.1.2-1 ii mime-support 3.11-1 ii modutils 2.3.11-13.1 ii mount 2.10f-5.1 ii mysql-client 3.23.39-3 ii mysql-common 3.23.39-3.1 ii mysql-server 3.23.39-3 ii ncurses-base 5.0-6.0potato1 ii ncurses-bin5.0-6.0potato1 ii netbase3.18-4 ii passwd 19990827-20 ii pciutils 2.1.2-2 ii perl 5.6.1-5 ii perl-base 5.6.1-5 ii perl-modules 5.6.1-5 ii php4 4.0.6-4 ii php4-mysql 4.0.6-4 ii ppp2.3.11-1.4 ii pppconfig 2.0.5 ii procps 2.0.6-5 ii psmisc 19-2 ii pump 0.7.3-2 ii sed3.02-5 ii setserial 2.17-16 ii shellutils 2.0-7 ii slang1 1.3.9-1 ii snort 1.7-9 ii ssh1.2.3-9.3 ii sysklogd 1.4.1-2 ii syslinux 1.48-2 ii sysvinit 2.78-4 ii tar1.13.17-2 ii tasksel1.0-10 ii tcpd 7.6-4 ii telnet 0.16-4potato.1 ii textutils 2.0-2 ii update 2.11-1 ii util-linux 2.10f-5.1 ii zlib1g 1.1.3-15 This linux-box has 3 network interfaces: 1 - connected to LAN (used to view results and mantain box) 2,3 - sensors without ip-addresses assigned (simple ifconfig eth0 up, for snort this is enough) attached to 2 different segments of DMZ. Very stable desision, I have no problem with it. ===== Regards, Vladislav. ---> http://cybervlad.port5.com _
Re: read-write to stdin-stdout or to a file?
Hola! --- Pedro Zorzenon Neto <[EMAIL PROTECTED]> wrote: >This program needs to read data from a file and > also write to other file. > >I could use some options like this: > > $ avrprog -i input.data -o output.data > >But I chose to use stdin/stdout instead. > > $ avrprog < input.data > output.data > >Than I don't need to check if the user has > permission to read/write that file, don't need to > check for symlink... because the shell will do this > for me. > >Is this right? Did I make the right option when I > decided to use stdin/stdout. I think, the better way is to use freopen() function to reassign stdin, stdout and stderr. This is more secure and shell-independant desision... = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Re: read-write to stdin-stdout or to a file?
Hola! --- Pedro Zorzenon Neto <[EMAIL PROTECTED]> wrote: >This program needs to read data from a file and > also write to other file. > >I could use some options like this: > > $ avrprog -i input.data -o output.data > >But I chose to use stdin/stdout instead. > > $ avrprog < input.data > output.data > >Than I don't need to check if the user has > permission to read/write that file, don't need to > check for symlink... because the shell will do this > for me. > >Is this right? Did I make the right option when I > decided to use stdin/stdout. I think, the better way is to use freopen() function to reassign stdin, stdout and stderr. This is more secure and shell-independant desision... = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Snort
Hello, --- dude <[EMAIL PROTECTED]> wrote: > Is there any way to get snort to send more than > daily reports from snort? You can set up logging into database (i.e. mysql), the use acid (http://www.andrew.cmu.edu/~rdanyliw/snort/). This way you can get reports in any time, by request. Unfortunely, you need in this case mysql database and php4-enabled apache server. Best regards, Vlad. http://www.geocities.com/hugevlad __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Re: Snort
Hello, --- dude <[EMAIL PROTECTED]> wrote: > Is there any way to get snort to send more than > daily reports from snort? You can set up logging into database (i.e. mysql), the use acid (http://www.andrew.cmu.edu/~rdanyliw/snort/). This way you can get reports in any time, by request. Unfortunely, you need in this case mysql database and php4-enabled apache server. Best regards, Vlad. http://www.geocities.com/hugevlad __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
Hello, --- Rudy Gevaert <[EMAIL PROTECTED]> wrote: > > Check out www.snort.org. Snort capable to detect > > portscans. Note, that not only portscans, but [skip] > Could I use this with ippl? Or just on portscanning > system? As you wish, but you don`t needed any additional ip-logging systems, when you use snort. You can log only headers, you can log full packets in various formats (text, syslog, tcpdump-compatible etc, include logging into sql-base). Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. When I installed snort on my computer, I delete tcplogd, icmplog, and other such systems. = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Re: detecting portscanning
Hello, --- Rudy Gevaert <[EMAIL PROTECTED]> wrote: > > Check out www.snort.org. Snort capable to detect > > portscans. Note, that not only portscans, but [skip] > Could I use this with ippl? Or just on portscanning > system? As you wish, but you don`t needed any additional ip-logging systems, when you use snort. You can log only headers, you can log full packets in various formats (text, syslog, tcpdump-compatible etc, include logging into sql-base). Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. When I installed snort on my computer, I delete tcplogd, icmplog, and other such systems. = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: detecting portscanning
Hello, --- Rudy Gevaert <[EMAIL PROTECTED]> wrote: > It is my first time i'm putting up a server (at > home, cable modem) with > ftp/ssh/apache on it. > > Now I would like to know who does portscans on my > machine, and when. And > how many. > > Is there a package for it in debian? Or do I have > to install something > else. Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other "strange" activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Re: detecting portscanning
Hello, --- Rudy Gevaert <[EMAIL PROTECTED]> wrote: > It is my first time i'm putting up a server (at > home, cable modem) with > ftp/ssh/apache on it. > > Now I would like to know who does portscans on my > machine, and when. And > how many. > > Is there a package for it in debian? Or do I have > to install something > else. Check out www.snort.org. Snort capable to detect portscans. Note, that not only portscans, but other "strange" activities (i.e. tracing, os fingerprinting, etc) and attacks. You can download sources from original site or get *.deb from debian (it included into latest release). = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
