Re: doing an ssh into a compromised host
Greetings! On Tue, 2 Nov 2004 08:59:07 +0200 (IST) Vassilii Khachaturov [EMAIL PROTECTED] wrote: I have been doing ssh into the box. THe client is set up not to request the X forwarding by the default. When I try ssh -v now, I observe no X forwarding being established, whereas ssh -X -v does establish X. Question is, could the server have forced an X forwarding on me (w/o my knowledge) having sniffed my local keystrokes? You could force the SSH client to *not* forward X11 with -x (the low-caps x char) regardless other client/server-side specifications. If you do not specify any other special forwarding (-L or -R) then there will be no forwarding. HTH Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spyware / Adware
Greetings! On Tue, 31 Aug 2004 13:17:22 +0200 (MEST) Martin Fries [EMAIL PROTECTED] wrote: I´m not an expert. Just a normal user. But I think Linux is vulnerable like any other OS. Yes and no. When surfing as normal user *ware programs cannot install themselves as system services or overwrite programs simply as you/they do not have the (file) permissions to do so. You either have to install them explicitly (manually) as root/admin or you have to explicitly save them and subsequently start them via shell = command line. As this is ackward, unattractive to the normal user, the risk of inadvertly executing such a program is considerably lower than under Windows(klick on the attachment type of attacks). Plus there is no such thing as the standard Microsoft remote virus installation tools (IE and Outlook) that come with such great *ware support technologies as ActiveX. install an configure :) a firewall Better: install your workstation so it does not have services running you don't need. Or bind them to the local / loopback interface so they are unreachable for an attacker. This renders a firewall unnecessary in most cases. don´t work as root (Administrator) !!! sic !!! Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Squid proxy help
I was just wondering if you know how I could possibly setup squid so that it will accept connections from the internet and filter before they hit a IIS6 hosted intranet. RTFM! http://www.squid-cache.org/Doc/FAQ/FAQ-10.html http://squid.visolve.com/squid/squid24s1/access_controls.htm Bye Volker Tanger ITK Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Squid proxy help
I was just wondering if you know how I could possibly setup squid so that it will accept connections from the internet and filter before they hit a IIS6 hosted intranet. RTFM! http://www.squid-cache.org/Doc/FAQ/FAQ-10.html http://squid.visolve.com/squid/squid24s1/access_controls.htm Bye Volker Tanger ITK Security
Re: Watch out! vsftpd anonymous access always enabled!
Greetings! On Sat, 20 Sep 2003 12:47:21 +0200 Robert van der Meulen [EMAIL PROTECTED] wrote: I was working on a newly-installed machine for a customer who requires an ftp server. After installing vsftpd (which i *had* good experience with), I noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to'NO' *does* allow anonymous access. Logging in using the 'anonymous' user does not work, logging in using the'ftp' user *does* work. The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled password on all machines where I tried this and saw it working. I was only able to test this with 1.2.0-2 . If anyone here is running vsftpd on a non-anonymous box, I'd make sure to check this too. In the case of this customer (who has pretty sensitive data on his box), this could have been quite a disaster. On Woody/stable I have version 1.0.0-2 and everythin is fine here: Sep 22 10:03:24 login vsftpd: PAM-listfile: Refused user anonymous for service ftp Sep 22 10:03:24 login PAM_unix[30725]: auth could not identify password for [ftp] Sep 22 10:03:43 login vsftpd: PAM-listfile: Refused user ftp for service ftp Sep 22 10:03:43 login PAM_unix[30875]: auth could not identify password for [ftp] --- /etc/vsftpd.conf - excerpt --- # Allow anonymous FTP? anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES Bye Volker Tanger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
Greetings! On Sat, 20 Sep 2003 12:47:21 +0200 Robert van der Meulen [EMAIL PROTECTED] wrote: I was working on a newly-installed machine for a customer who requires an ftp server. After installing vsftpd (which i *had* good experience with), I noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to'NO' *does* allow anonymous access. Logging in using the 'anonymous' user does not work, logging in using the'ftp' user *does* work. The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled password on all machines where I tried this and saw it working. I was only able to test this with 1.2.0-2 . If anyone here is running vsftpd on a non-anonymous box, I'd make sure to check this too. In the case of this customer (who has pretty sensitive data on his box), this could have been quite a disaster. On Woody/stable I have version 1.0.0-2 and everythin is fine here: Sep 22 10:03:24 login vsftpd: PAM-listfile: Refused user anonymous for service ftp Sep 22 10:03:24 login PAM_unix[30725]: auth could not identify password for [ftp] Sep 22 10:03:43 login vsftpd: PAM-listfile: Refused user ftp for service ftp Sep 22 10:03:43 login PAM_unix[30875]: auth could not identify password for [ftp] --- /etc/vsftpd.conf - excerpt --- # Allow anonymous FTP? anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES Bye Volker Tanger
Re: OT: An Idea for an IDS
Greetings! On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister [EMAIL PROTECTED] wrote: This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... Because of this reason automated systems did not get much acceptance as they were/are more a hassle than useful. Today there are only very few systems left that still implement some automated IP-killing scheme. Bye Volker Tanger -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Greetings! On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister [EMAIL PROTECTED] wrote: This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... Because of this reason automated systems did not get much acceptance as they were/are more a hassle than useful. Today there are only very few systems left that still implement some automated IP-killing scheme. Bye Volker Tanger --
Re: Encrypting/emailing logs and configs
Greetings! Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? If you don't have the space/equipment/systems/security to use rsync via ssh (as suggested a number of times already), tar and gpg just do fine. bzip2 is not really necessary as gpg compresses the input per default (okay rate, comparable to gzip). Advantage of tar+gpg+mail is that you don't have DSA keys to your machines lying around on your management system as you will have with rsync over ssh. If you want to use rsync/ssh you should really lock down and protect your management system. For the tar+gpg+mail solution (nearly) any client PC will do - as long as you don't unpack the mails and keep your GPG keyring safe... Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypting/emailing logs and configs
Greetings! Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? If you don't have the space/equipment/systems/security to use rsync via ssh (as suggested a number of times already), tar and gpg just do fine. bzip2 is not really necessary as gpg compresses the input per default (okay rate, comparable to gzip). Advantage of tar+gpg+mail is that you don't have DSA keys to your machines lying around on your management system as you will have with rsync over ssh. If you want to use rsync/ssh you should really lock down and protect your management system. For the tar+gpg+mail solution (nearly) any client PC will do - as long as you don't unpack the mails and keep your GPG keyring safe... Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/
Security-Update of LISTAR broken...
Greetings! Few days ago I updated the LISTAR maillist software (apt-get update; ape-get dist-upgrade) with the latest security fix (a buffer overflow IIRC). Since then, the program won't work anymore - does not produce any output, returns with exit code 75 Seems the security fix is broken? Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security-Update of LISTAR broken...
Greetings! Few days ago I updated the LISTAR maillist software (apt-get update; ape-get dist-upgrade) with the latest security fix (a buffer overflow IIRC). Since then, the program won't work anymore - does not produce any output, returns with exit code 75 Seems the security fix is broken? Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts deny, alow
Greetings! On Mon, Feb 11, 2002 at 10:10:38PM +0700, [EMAIL PROTECTED] wrote: I am new user debian linux, 1. i try to configure in hosts.deny : If you want finer access rule granulation, I'd suggest using XINETD instead of INETD, which is available as alternate .DEB (and supported by a number of server packages). Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts deny, alow
Greetings! On Mon, Feb 11, 2002 at 10:10:38PM +0700, [EMAIL PROTECTED] wrote: I am new user debian linux, 1. i try to configure in hosts.deny : If you want finer access rule granulation, I'd suggest using XINETD instead of INETD, which is available as alternate .DEB (and supported by a number of server packages). Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: Mail server anti-virus software?
Greetings! On Mon, Jan 21, 2002 at 12:17:56PM +0200, Mikko Kilpikoski wrote: Well, here's my list of questions: Are there any free or no cost solutions (for corporate use)? For exim there is a filter which rejects all mail with directly executable files attached (ftp.exim.org/pub/filter - or similar). While not a virus filter it helps protect from stupid mistakes and overly (virus-)friendly mail clients. Should I go for McAfee, Kaspersky, H+BEDV, Trend Micro, F-Secure or something else? At work we use Trend with good success. It comes with builtin HTTP proxy and mail gate, so no manual configuration of mail servers needed for integration. Web interface is nice for Win*-spoiled admins, but plain config file editing works just as well. Also, which mailserver would you recommend? (I have to learn one anyway.) Postfix or exim. I found exim to be easier to set up - which might have to do with the not-so-good/extensive docs for postfix... Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail server anti-virus software?
Greetings! On Mon, Jan 21, 2002 at 12:17:56PM +0200, Mikko Kilpikoski wrote: Well, here's my list of questions: Are there any free or no cost solutions (for corporate use)? For exim there is a filter which rejects all mail with directly executable files attached (ftp.exim.org/pub/filter - or similar). While not a virus filter it helps protect from stupid mistakes and overly (virus-)friendly mail clients. Should I go for McAfee, Kaspersky, H+BEDV, Trend Micro, F-Secure or something else? At work we use Trend with good success. It comes with builtin HTTP proxy and mail gate, so no manual configuration of mail servers needed for integration. Web interface is nice for Win*-spoiled admins, but plain config file editing works just as well. Also, which mailserver would you recommend? (I have to learn one anyway.) Postfix or exim. I found exim to be easier to set up - which might have to do with the not-so-good/extensive docs for postfix... Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: Mailserver HDD organization
Greetings! On Thu, Jan 17, 2002 at 07:06:37AM +0100, eim wrote: I was thinking about a partition for /, one for boot, one for /var/spool/mail and some other important system parts. As you want to use exim and mailing list, you will want to have a partition for /var or /var/spool instead of /var/spool/mail as the exim outgoing queue is at /var/spool/exim. OTOH the logs are at /var/logs - so in short form /var/spool/mail - only the user mailboxes /var/spool - user mailboxes/var/spool/mail - exim outgoing queue /var/spool/exim /var - user mailboxes/var/spool/mail - exim outgoing queue /var/spool/exim - exim logfiles /var/log/exim Thus I'd recommend to use a separate partition for the complete /var tree. So I usually partition for mailservers and similar /dev/sda1 (swap) 1 GB /dev/sda2 / 2 GB /dev/sda3 /var15 GB (i.e. all remaining) and maybe /dev/sda4 /tmp512 MB Has anyone real-life examples of running mailservers, maybe some HDD organization infos, MTA infos and other importante related know-how to run a secure and stable mailserver on my network. Install on on a clean, minimized system. Just base (including exim), ssh (for admin) and maybe pop or imap. Webserver only for webmail. No workstation tools or other playthings. Especially no user working on that server (no local login), no fileservices (neither NFS nor SAMBA), no FTP (uploads). Concentrate on the function - here: mail. Keep an eye on safe configuration. Especially make damn sure that you don't end up as open relay (i.e. properly configured anti-spoofing). If you want filtering, look at the exim contrib directory, there for a file called system_filter.exim Have fun! Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
Greetings! On Thu, Jan 17, 2002 at 07:06:37AM +0100, eim wrote: I was thinking about a partition for /, one for boot, one for /var/spool/mail and some other important system parts. As you want to use exim and mailing list, you will want to have a partition for /var or /var/spool instead of /var/spool/mail as the exim outgoing queue is at /var/spool/exim. OTOH the logs are at /var/logs - so in short form /var/spool/mail - only the user mailboxes /var/spool - user mailboxes/var/spool/mail - exim outgoing queue /var/spool/exim /var - user mailboxes/var/spool/mail - exim outgoing queue /var/spool/exim - exim logfiles /var/log/exim Thus I'd recommend to use a separate partition for the complete /var tree. So I usually partition for mailservers and similar /dev/sda1 (swap) 1 GB /dev/sda2 / 2 GB /dev/sda3 /var15 GB (i.e. all remaining) and maybe /dev/sda4 /tmp512 MB Has anyone real-life examples of running mailservers, maybe some HDD organization infos, MTA infos and other importante related know-how to run a secure and stable mailserver on my network. Install on on a clean, minimized system. Just base (including exim), ssh (for admin) and maybe pop or imap. Webserver only for webmail. No workstation tools or other playthings. Especially no user working on that server (no local login), no fileservices (neither NFS nor SAMBA), no FTP (uploads). Concentrate on the function - here: mail. Keep an eye on safe configuration. Especially make damn sure that you don't end up as open relay (i.e. properly configured anti-spoofing). If you want filtering, look at the exim contrib directory, there for a file called system_filter.exim Have fun! Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: Fw: Can a daemon listen only on some interfaces?
Greetings! At 09.12.2001, [EMAIL PROTECTED] wrote: [...] And thanks for all the replies. In fact I was most interested to hear that you could not make daemons listen on only one interface but you could make them bind to an IP address range. I guess that is what I achieved in my postfix main.cf file with the line: inet_interfaces = localhost If using the meta-daemon XINETD instead of INETD you can specify the interface (= bind) option where you can specify on which interface the service should listen only. See man xinetd.conf HTH Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fw: Can a daemon listen only on some interfaces?
Greetings! At 09.12.2001, [EMAIL PROTECTED] wrote: [...] And thanks for all the replies. In fact I was most interested to hear that you could not make daemons listen on only one interface but you could make them bind to an IP address range. I guess that is what I achieved in my postfix main.cf file with the line: inet_interfaces = localhost If using the meta-daemon XINETD instead of INETD you can specify the interface (= bind) option where you can specify on which interface the service should listen only. See man xinetd.conf HTH Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: IPChains vs Cisco IOS Packer Filters
On 12 Apr, Eugene van Zyl wrote: Can anyone tell me whether the Packet Filter on the Cisco IOS does statefull packet inspection ? and whether I'll be losing by replacing it with IPChains on Kernel 2.2.17? Not a big difference - neither Cisco IOS nor IPchains offer stateful inspection. For that choose Kernel 2.4 (IPtable) or *BSD (netfilter) Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IPChains vs Cisco IOS Packer Filters
On 12 Apr, Eugene van Zyl wrote: Can anyone tell me whether the Packet Filter on the Cisco IOS does statefull packet inspection ? and whether I'll be losing by replacing it with IPChains on Kernel 2.2.17? Not a big difference - neither Cisco IOS nor IPchains offer stateful inspection. For that choose Kernel 2.4 (IPtable) or *BSD (netfilter) Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: Anti Virus for Debian
On 20 Feb, Mario Zuppini wrote: I would also like to know of virus scanners especially for mail servers ie sendmail that will work on a SPARC ??? There is a number of them being offered from commercial companies, e.g. TrendMicro InterScan VirusWall. Just look around at the "big" AV-companies. Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Anti Virus for Debian
On 20 Feb, Mario Zuppini wrote: I would also like to know of virus scanners especially for mail servers ie sendmail that will work on a SPARC ??? There is a number of them being offered from commercial companies, e.g. TrendMicro InterScan VirusWall. Just look around at the big AV-companies. Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: Nessusd
Greetings! On 13 Feb, Craig wrote: I am trying to setup nessusd ... been though the config files but I keep getting the following error message when trying to connect via the windows client: ERROR: Server doesn't support NSP/0.3 protocol. Connection terminated. The nessusd in Debian 2.2 is a 0.9x version whereas the Windows client is a 1.0.7 (probably) release. The client-server protocol changed some time ago. So you either have to use 0.9x server AND client - or both 1.0.x. Best solution would be to update the server to 1.0.7. Just unins tall the debian file, grab the current tarballs from http://www.nessus.org/ and install that manually. Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: connecting to my box
Greetings! On 27 Jan, Mohammed Elzubeir wrote: I just changed it and removed the last ':', and now I get "Permission denied". This is crazy. I just want to be able to ssh.. that's all. Why is it so damn weird on Debian.. this is the first time EVER that I had a hard time setting up ssh, or ANY unix or linux. Woooha - one idea comes to my mind: maybe you have the default (ipchains) firewall module installed (without noticing)? Check that - IIRC that denies ANY connection to the box. Bye Volker-- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: connecting to my box
Greetings! On 27 Jan, Mohammed Elzubeir wrote: I just changed it and removed the last ':', and now I get Permission denied. This is crazy. I just want to be able to ssh.. that's all. Why is it so damn weird on Debian.. this is the first time EVER that I had a hard time setting up ssh, or ANY unix or linux. Woooha - one idea comes to my mind: maybe you have the default (ipchains) firewall module installed (without noticing)? Check that - IIRC that denies ANY connection to the box. Bye Volker-- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE
Re: Mutt/gnupg
Greetings! On 11 Dec, Eduardo Gargiulo wrote: I'm using gnupg, and I put in my .muttrc set pgp_sign_command="gpg --clearsign" but the signature is attached in binary format. How can I sign my messages in ASCII from mutt? The --clearsign option lets you see the message text even if you did not check the signature. For ASCII compatible code you need the --armor (or -a) switch. With both you get a unchecked-readable mail with an ASCII signature. And that's what you were looking for, right? Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mutt/gnupg
Greetings! On 11 Dec, Eduardo Gargiulo wrote: I'm using gnupg, and I put in my .muttrc set pgp_sign_command=gpg --clearsign but the signature is attached in binary format. How can I sign my messages in ASCII from mutt? The --clearsign option lets you see the message text even if you did not check the signature. For ASCII compatible code you need the --armor (or -a) switch. With both you get a unchecked-readable mail with an ASCII signature. And that's what you were looking for, right? Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research Development Division, WYAE