Re: Security question about daemon-init

[Darac Marjal]

On 29/08/2023 18:35, Bhasker C V wrote:

Apologies in advance for cross-group posting.

I have enabled selinux  and after carefully allowing certain 
permissions, I have put my system in enforcing mode


I do see a suspicious line like this


[  115.089395] audit: type=1400 audit(1693329979.841:11): avc:  denied 
 { getattr } for  pid=3104 comm="daemon-init" 
path="/home/bcv/.thunderbird" dev="dm-5" ino=257 
scontext=system_u:system_r:virtd_t:s0 
tcontext=system_u:object_r:thunderbird_home_t:s0 tclass=lnk_file 
permissive=0


I am not sure why on earth would daemon-init try to read .thunderbird 
directory under my homedir .


Has anyone faced this problem?

What is this daemon-init program and why does it want access to my 
home thunderbird directory ?


According to 
https://packages.debian.org/search?suite=bookworm&arch=any&mode=filename&searchon=contents&keywords=daemon-init 
there is no file within Debian Stable named "daemon-init".




Regards
Bhasker C V




OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Security question concerning jail or virtualization

[Артур Истомин]

On Fri, Mar 14, 2014 at 03:50:09AM +0100, Martin Braun wrote:
> Hi
> 
> I have recently experienced a server being "hacked" due to a security
> problem with a PHP application that made it possible for the "hacker" to
> gain a web shell.
> 
> Due to this experience I would like to know what the best way to limit such
> problems is, especially when hosting web servers for users who may or may
> not installed unsecure applications on the web server.
> 
> What does the big hosters do? What do they use?
> 
> The solution can't be too complecated to maintain and I would prefer each
> user being completely seperated from the main OS and from other users.
> 
> I have been thinking about running Debian inside FreeBSD Jails or "The
> Warden". I have also been thinking about using Xen and installing several
> Debians on Debian.

Nginx/Apache on OpenBSD runs in chroot. I think it is wise to see how
they doing that.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140314172905.GA9135@localhost

Re: Security question concerning jail or virtualization

[Mr Queue]

On Fri, 14 Mar 2014 03:50:09 +0100
Martin Braun  wrote:

> Hi
> 
> I have recently experienced a server being "hacked" due to a security
> problem with a PHP application that made it possible for the "hacker" to
> gain a web shell.
> 
> Due to this experience I would like to know what the best way to limit such
> problems is, especially when hosting web servers for users who may or may
> not installed unsecure applications on the web server.
> 
> What does the big hosters do? What do they use?
> 
> The solution can't be too complecated to maintain and I would prefer each
> user being completely seperated from the main OS and from other users.
> 
> I have been thinking about running Debian inside FreeBSD Jails or "The
> Warden". I have also been thinking about using Xen and installing several
> Debians on Debian.
> 
> What is the best (and if possible simplest) way to deal with this?
> 
> Kind regards

Run your application as a normal user and the shell's that they will keep 
getting until your developers patch your
application won't matter at all other pissing off the rest of the world with 
their spam/flood/whatever.

That's it for Debian in this thread. The rest is for some php coding list.

http://www.suphp.org/Home.html


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140314094837.7c3f3...@mrqueue.com

Re: Security question concerning jail or virtualization

[shawn wilson]

On Fri, Mar 14, 2014 at 4:30 AM, Scott Ferguson
 wrote:
> On 14/03/14 15:51, shawn wilson wrote:
>>
>> On Mar 14, 2014 12:13 AM, "Brad Alexander" > > wrote:
>>>
>>
>
> Due to this experience I would like to know what the best way to
>> limit such problems is, especially when hosting web servers for users
>> who may or may not installed unsecure applications on the web server.
>>>
>

> None of those methods are dependent on password access.

The initial attack isn't. Post exploit is. Again, I'd think there are
legal issues with auditing your clients' software making all of this
moot (besides my recommendation for a layer 7 firewall).

> Password security for the server (as distinct from user web
> applications) *should* be part of any webserver security. Debian
> provides dnsiff and john the ripper which are used in industry best
> practice password auditing.
> By default Debian implements md5 and shadow which are the 'basis' of
> best practice password security (auditing are other practices add to
> those things).
>

For most use cases, see hashcat - not jtr. Also default hash on debian
is ssha per the $6$ in shadow - not md5. See:
http://en.wikipedia.org/wiki/Crypt_%28C%29
It should also be noted - don't use md5 - ever. If you're dealing with
web apps, use bcrypt or scrypt.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBiem65D-_gMJFsztCCGVqz+WcoDE8TptMzS==cyizp7...@mail.gmail.com

Re: Security question concerning jail or virtualization

[Scott Ferguson]

On 14/03/14 15:51, shawn wilson wrote:
> 
> On Mar 14, 2014 12:13 AM, "Brad Alexander"  > wrote:
>>
> 

 Due to this experience I would like to know what the best way to
> limit such problems is, especially when hosting web servers for users
> who may or may not installed unsecure applications on the web server.
>>

Web server and system security is a big subject.
Regardless of the use case a systematic approach is the best, easiest,
and only practically implementable approach. Starting with the Debian
security guide. I've included a link at the bottom of this post.

>>

> 
> As for passwords,

The OP has stated that the server was cracked, not the users application
(though that is likely to have happened). That's consistent with web
shell attack.

It's an injection type attack that runs OS commands[*1]. The web shell
is able to execute a command/commands either as:-
; a result of insecure application or system (php) settings allowing an
uploaded script to be executed directly (file upload)
; unsanitized data - executed php code appended to a link or to file
upload URI

None of those methods are dependent on password access.

The attack can gain elevated permission due to insecure file permissions
or poor passwords. Password insecurity is not the means of ingress (it
is important though - but don't rely on it).

Password security for the server (as distinct from user web
applications) *should* be part of any webserver security. Debian
provides dnsiff and john the ripper which are used in industry best
practice password auditing.
By default Debian implements md5 and shadow which are the 'basis' of
best practice password security (auditing are other practices add to
those things).



As Brad has pointed out, in business we employ specialized personnel to
deal with security (or aspects of it). Please note my point about
security requiring a systemic approach. Paint by numbers and/or ad hoc
"security" is not security.



Kind regards

Useful references:-
https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
http://httpd.apache.org/docs/current/misc/security_tips.html
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
https://phpbestpractices.org/
http://www.developphp.com/view.php?tid=772
http://demongin.org/blog/829/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5322be29.7010...@gmail.com

Re: Security question concerning jail or virtualization

[shawn wilson]

On Mar 14, 2014 12:13 AM, "Brad Alexander"  wrote:
>

>>>
>>> Due to this experience I would like to know what the best way to limit
such problems is, especially when hosting web servers for users who may or
may not installed unsecure applications on the web server.
>
>
> Auditing your security is probably your best bet. As I said above, maybe
some web app testing tools, run scans against your server regularly with
Nessus or OpenVAS, plus the security best practices...Good password hygene,
bastion hosts (only one type of app on a machine), turning off/uninstalling
unneeded apps, especially those with a network presence, etc.

I'm not sure how your customers may feel about you scanning their apps.
What do you do if you find something they don't want to fix? It will
probably even cause legal issues.

If you do want to do scans, might want to start with someone like nikto
(it's free) and see what you find. Idk how well Nessus does web scans
either - idk that's their core business (I think that would be AD and
compliance). Burp is the tool most use for this. Though, give a baby your
car keys and if you're lucky nothing will happen - if you're not...

A better solution for sites you host and don't own might be a WAF.
Something free like mod_security (some used to sell a rule subscription -
can't remember who). Or a PaloAlto box.

As for passwords, among other things, the company I work for is kinda known
for password auditing so, take it off list if you want a contact for that
type of thing. If you don't own the data though...

Re: Security question concerning jail or virtualization

[Brad Alexander]

On Thu, Mar 13, 2014 at 11:39 PM, shawn wilson  wrote:

> Well Linux has LXC which is supposed to be equivalent to jails (also see
> docker). But use whatever suits you.
>
As are the older-school OpenVZ and Linux VServer technologies.

> Idk what's current for breaking out of VMs is. It might be good to pay
> attention to who is using the most entropy and make sure you don't run out.
> Most VMs use processor VT to isolate things (I don't think any 'jail' does
> this).
>
The main difference between the jail/container technology and "real" VMs is
that containers share the host node's kernel, while a full virtualization
involves representing, to some degree, everything about a physical machine,
e.g. BIOS, kernel, etc.

> I think most providers use OpenStack (a suite of technologies). YMMV
> On Mar 13, 2014 11:06 PM, "Martin Braun"  wrote:
>
>> Hi
>>
>> I have recently experienced a server being "hacked" due to a security
>> problem with a PHP application that made it possible for the "hacker" to
>> gain a web shell.
>>
>
It sounds like perhaps you should investigate a web application test suite.
Whether this was running on a physical machine, a VM, or a container, it
would not have changed the result of your php app getting hacked.


> Due to this experience I would like to know what the best way to limit
>> such problems is, especially when hosting web servers for users who may or
>> may not installed unsecure applications on the web server.
>>
>
Auditing your security is probably your best bet. As I said above, maybe
some web app testing tools, run scans against your server regularly with
Nessus or OpenVAS, plus the security best practices...Good password hygene,
bastion hosts (only one type of app on a machine), turning off/uninstalling
unneeded apps, especially those with a network presence, etc.


> What does the big hosters do? What do they use?
>>
>
They hire staffs of sysadmins and security folks. :)


> The solution can't be too complecated to maintain and I would prefer each
>> user being completely seperated from the main OS and from other users.
>>
>
Depends on what you are trying to protect and what you are trying to defend
against.

--b

Re: Security question concerning jail or virtualization

[Scott Ferguson]

On 14/03/14 13:50, Martin Braun wrote:
> Hi
> 
> I have recently experienced a server being "hacked" due to a security
> problem with a PHP application that made it possible for the "hacker" to
> gain a web shell.

Has that problem been rectified?
If not then virtualization won't solve the problems, at best it'll just
restrict the types of problems - you can still find the content hijacked
and traffic redirected.

> 
> Due to this experience I would like to know what the best way to limit
> such problems is, especially when hosting web servers for users who may
> or may not installed unsecure applications on the web server.

If user applications can access to OS then you have a permissions
problem - the php application flaw was just the vector.

> 
> What does the big hosters do? What do they use?

A range of measures.

> 
> The solution can't be too complecated to maintain and I would prefer
> each user being completely seperated from the main OS and from other users.

Your preference *is* how "the big hosters" do things.

> 
> I have been thinking about running Debian inside FreeBSD Jails or "The
> Warden". I have also been thinking about using Xen and installing
> several Debians on Debian.
> 
> What is the best (and if possible simplest) way to deal with this?

The "simplest" way to do things is to install a very basic Debian stable
the use the Virtualmin script to install the rest of the Debian packages
needed for the server. Setup accounts for each user, their applications
will then run in $user/public_html.
> 
> Kind regards

It's a trivial attack[*1]) and bad php alone usually is not the cause.

Check php.ini and ensure you haven't accidentally enabled dangerous
configurations e.g. shell_exec, passthru, system etc.  If you *do* have
a compelling reason for enabling those functions consider whitelisting
and input filters. But don't rely on those alone - bad php is often the
cause (don't trust unknown php e.g. user submitted extensions and
plugins for CMS - even when you trust the intentions of the writer
that's no reason to trust the code). Make sure data is sanitized and if
you have a compelling reason to enable OS commands with php consider
wrapping them in java.

If you have allow_url_fopen enabled make sure you have a compelling
reason for it. I've never found one, by my experience far from covers
all use cases.

Ensure that open_basedir is enabled in php.ini

*Double and triple check your webuser permissions*

Test your security:-
As the web user (change /var/www to suit your situation e.g.
$user/public_html)
$
Search_Dir="/var/www";Problems="passthru|shell_exec|system|phpinfo|base64_decode|popen|exec|proc_open|pcntl_exec|python_eval|fopen|fclose|readfile";
grep -RPl --include=*.{php,txt} "($Problems)" $Search_dir

Install and run ClamAV and don't forget that perl may be where the
malware is based.

When you are certain that you system is clean and secure, backup the
static files to a remote location and md5 or pgp them so you can check
them against you web server at a later point to *prove* your system
hasn't been breached.
Then install an IDS.


[*1]can be as simple as weak file permissions or a dodgy cms allowing an
attacker to upload the following


Hope that helps - it's a big question, and so is the answer.
Web applications is a nebulous description, like the information about
your server - so a detailed response is beyond the limits of a post (and
my available time).
I'm glad you asked though instead of making the mistake of looking for a
"silver bullet" solution on a random web page. It's not just irritating
for you when you server gets cracked - it affects all of us.


Kind regards

P.S. Don't forget to check Google Webmaster in case your site/s have
been reported so that you can request the necessary changes.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/532281a2.9070...@gmail.com

Re: Security question concerning jail or virtualization

[shawn wilson]

Well Linux has LXC which is supposed to be equivalent to jails (also see
docker). But use whatever suits you.

Idk what's current for breaking out of VMs is. It might be good to pay
attention to who is using the most entropy and make sure you don't run out.
Most VMs use processor VT to isolate things (I don't think any 'jail' does
this).

I think most providers use OpenStack (a suite of technologies). YMMV
On Mar 13, 2014 11:06 PM, "Martin Braun"  wrote:

> Hi
>
> I have recently experienced a server being "hacked" due to a security
> problem with a PHP application that made it possible for the "hacker" to
> gain a web shell.
>
> Due to this experience I would like to know what the best way to limit
> such problems is, especially when hosting web servers for users who may or
> may not installed unsecure applications on the web server.
>
> What does the big hosters do? What do they use?
>
> The solution can't be too complecated to maintain and I would prefer each
> user being completely seperated from the main OS and from other users.
>
> I have been thinking about running Debian inside FreeBSD Jails or "The
> Warden". I have also been thinking about using Xen and installing several
> Debians on Debian.
>
> What is the best (and if possible simplest) way to deal with this?
>
> Kind regards
>

Re: security question

[Ron Johnson]

On 10/21/08 12:10, Paul Johnson wrote:

Bogdan wrote:

This is stupid! Any decent web developer would make his app work at
least with IE,  Firefox and Safari ( my opinion )! 


That's stupid.  Nobody should ever be coding with only specific browsers
in mind.  Get it to validate on http://validator.w3.org/  Then if it
doesn't work, it's a craptastical browser problem beyond their control,
not a standards compliance issue within their control.


Of course it's stupid.  Why are you surprised that corporate drones 
do stupid things?


--
Ron Johnson, Jr.
Jefferson LA  USA

Help a man when he is in trouble and he will remember you when
he is in trouble again.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Dotan Cohen]

2008/10/18 Carl Fink <[EMAIL PROTECTED]>:
> One other possibility: install virtualbox-ose, and run an occasional Windows
> session inside Debian when you need to bank.  That's what I do with some
> specific software I need for my job.
>

What software is that, Carl?

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

ä-ö-ü-ß-Ä-Ö-Ü

Re: security question

[Dotan Cohen]

2008/10/18 Bogdan <[EMAIL PROTECTED]>:
> Hey,
>
> Although I don't like it, the bank i work with only offers Internet Banking
> that works only under Internet Explorer. So, unfortunately, if I want to
> check out my account I see myself obliged to boot Windows :(. I know that IE
> can be installed through wine but no one  seems to guaranty safety... Would
> IE installed on my Debian be less safe than the one running in it's native
> environment? If yes, why would that be so?
>

Switch banks. I did for that reason and that reason only.

The bank is forcing you to use an insecure browser. Would you not
switch banks if they forced you to make deposits in a flimsy tin
lockbox outside their building? You cannot trust IE, and you should
not under any circumstances use IE for internet banking, paypal, ebay,
or any other financial transaction. So far as you are  concerned, your
bank does not offer internet banking.

I am not joking, and I am not exaggerating.

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

ä-ö-ü-ß-Ä-Ö-Ü

Re: security question

[Paul Johnson]

Bogdan wrote:
> This is stupid! Any decent web developer would make his app work at
> least with IE,  Firefox and Safari ( my opinion )! 

That's stupid.  Nobody should ever be coding with only specific browsers
in mind.  Get it to validate on http://validator.w3.org/  Then if it
doesn't work, it's a craptastical browser problem beyond their control,
not a standards compliance issue within their control.



signature.asc
Description: OpenPGP digital signature

Re: security question

[Tzafrir Cohen]

On Sat, Oct 18, 2008 at 08:12:53PM +0300, Bogdan wrote:
> Paul Johnson wrote:
>> Douglas A. Tutty wrote:
>>   
>>> On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
>>>   
 Although I don't like it, the bank i work with only offers Internet 
 Banking that works only under Internet Explorer. So, unfortunately, 
 if I want to check out my account I see myself obliged to boot 
 Windows :(. I know that IE can be installed through wine but no one 
  seems to guaranty safety... Would IE installed on my Debian be 
 less safe than the one running in it's native environment? If yes, 
 why would that be so?
   
>>> I wouldn't trust IE to do banking in any event.
>>>
>>> Actually, I don't trust any internet banking.  I go to the bank, the
>>> bank's machine, or I phone them.
>>> 
>> I don't even trust ATMs if they run Windows.  Which pretty much
>> eliminates the possibility of me ever banking with Bank of America or
>> Wells Fargo.
>>
>>   
> Hey guys,
>
> Thanks for your answers!
> Although i really like my bank, I considered switching because of this  
> reason, but as far as I can tell, there is only one bank in Romania that  
> offers Internet Banking with Firefox :(, and I don't like it.
> I'm thinking on mailing my bank on the issue... but I guess it won't  
> make any difference.
> Oh well... a lot of people still think Linux is some fruit and Firefox  
> some weird animal :).

Considering the increasing market share of Firefox and co. 
(especially with young folks who the banks most want as customers),
banks that do not support other broswers are fools.

So you should start with checking the support of Firefox and other
browsers with other banks. And actively threaten to move your account
elsewhere.

Two years ago only one of the major 5 banks in Israel had good support
for Firefox, and another one had a buggy but working one. Now all 5 have
at least "buggy but working one". Banks generally move slow: it takes a
lot of time for hem to test a new site. So if they tell you "we're
working on it" you may be able to believe them. But "we're working on it
and it will probably be ready on ___" is a better answer.

-- 
Tzafrir Cohen | [EMAIL PROTECTED] | VIM is
http://tzafrir.org.il || a Mutt's
[EMAIL PROTECTED] ||  best
ICQ# 16849754 || friend


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Emanoil Kotsev]

Bogdan wrote:

> Emanoil Kotsev wrote:
>> Bogdan wrote:
>>
>>   
>>> Paul Johnson wrote:
>>> 
 Douglas A. Tutty wrote:
   
   
> On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
>   
> 
> 
>> Although I don't like it, the bank i work with only offers Internet
>> Banking that works only under Internet Explorer. So, unfortunately,
>> if I want to check out my account I see myself obliged to boot
>> Windows :(. I
>> know that IE can be installed through wine but no one  seems to
>> guaranty safety... Would IE installed on my Debian be less safe than
>> the one running in it's native environment? If yes, why would that be
>> so?
>> 
>>   
>>   
> I wouldn't trust IE to do banking in any event.
>
> Actually, I don't trust any internet banking.  I go to the bank, the
> bank's machine, or I phone them.
> 
> 
 I don't even trust ATMs if they run Windows.  Which pretty much
 eliminates the possibility of me ever banking with Bank of America or
 Wells Fargo.

   
   
>>> Hey guys,
>>>
>>> Thanks for your answers!
>>> Although i really like my bank, I considered switching because of this
>>> reason, but as far as I can tell, there is only one bank in Romania that
>>> offers Internet Banking with Firefox :(, and I don't like it.
>>> I'm thinking on mailing my bank on the issue... but I guess it won't
>>> make any difference.
>>> Oh well... a lot of people still think Linux is some fruit and Firefox
>>> some weird animal :).
>>>
>>> Best regards,
>>>
>>> 
>>
>> You can go with this issue to the EU commission and complain. I think the
>> right way is first to complain or search for help at the bank and make it
>> clear that you do not have alternatives then search for help from your
>> local consumer protection and rights organisation, however it might be
>> called in english or romanian and if they don't respond then write to the
>> commission that you are being blackmailed to use windows.
>>
>> Unbelievable the story - and we are in the 21. century
>>
>> thumbs up
>>
>> regards
>>
>>
>>   
> 
> Hey,
> 
> Andrei, I didn't know that Unicredit Tiriac works with Firefox, I was
> meaning ING :D.
> 
> Emanoil, my bank is a Romanian one, Transilvania Bank, so I'm guessing
> you might not have heard of it :). But this Internet Explorer issue is
> not a singular case, I can name a lot of other banks that only support IE.
> This is stupid! Any decent web developer would make his app work at
> least with IE,  Firefox and Safari ( my opinion )! I really don't
> understand why these, let's face it, hugely funded  internet banking
> applications restrict you to the weakest browser in the market. The guys
> developing them are paid big time and still they assume everybody uses
> the same crap and also they manage to fool the banks into believing
> them! Sad... :)
> 
> Best regards,

Well, programming for M$ is very easy for them, and the programs they create
run on top of the explorer libraries.
The EU commission just sued them to pay 500 mil. because of this. I am
convinced if you go to the bank and lay out the facts they will listen to
you. You should demand to have this changed and to tell you realistic dead
line. It's clear that they can not offer such a product for just a few
months, but they should start working.

If they do not give you a dead line I suggest you go first to your consumer
protection (however it might be called) office and talk to them
In the mean time you can write also to the EU commission - they will be glad
to hear your story and file it to the M$ case.

regards


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Ron Johnson]

On 10/19/08 06:02, Bogdan wrote:
[snip]
This is stupid! Any decent web developer would make his app work at 
least with IE,  Firefox and Safari ( my opinion )! I really don't 
understand why these, let's face it, hugely funded  internet banking 
applications restrict you to the weakest browser in the market. The guys 
developing them are paid big time and still they assume everybody uses 
the same crap and also they manage to fool the banks into believing 
them! Sad... :)


Generalize this to all of "IT".  Corporate developers who have drunk 
the Microsoft Kool-Aid know or care nothing about anything beyond 
Microsoft.


--
Ron Johnson, Jr.
Jefferson LA  USA

Help a man when he is in trouble and he will remember you when
he is in trouble again.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Andrei Popescu]

On Sun,19.Oct.08, 14:02:11, Bogdan wrote:

> Andrei, I didn't know that Unicredit Tiriac works with Firefox, I was 
> meaning ING :D.

There might be others as well. You could search the archives of rlug 
(offtopic), as this subject comes up regularly.

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)


signature.asc
Description: Digital signature

Re: security question

[Paul Johnson]

Carl Fink wrote:
> On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
>   
>> Although I don't like it, the bank i work with only offers Internet  
>> Banking that works only under Internet Explorer. So, unfortunately, if I  
>> want to check out my account I see myself obliged to boot Windows :(. I  
>> know that IE can be installed through wine but no one  seems to guaranty  
>> safety... Would IE installed on my Debian be less safe than the one  
>> running in it's native environment? If yes, why would that be so?
>> 
>
> One other possibility: install virtualbox-ose, and run an occasional Windows
> session inside Debian when you need to bank.  That's what I do with some
> specific software I need for my job.
>
> Alternatives include Xen and VMWare Player.
>   
I'm not sure I'd consider VMPlayer particularly viable.  It's non-free,
and has serious stability issues that would have caused massive data
loss if I didn't have a nightly backup.




signature.asc
Description: OpenPGP digital signature

Re: security question

[Bogdan]

Emanoil Kotsev wrote:

Bogdan wrote:

  

Paul Johnson wrote:


Douglas A. Tutty wrote:
  
  

On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
  



Although I don't like it, the bank i work with only offers Internet
Banking that works only under Internet Explorer. So, unfortunately, if
I want to check out my account I see myself obliged to boot Windows :(.
I
know that IE can be installed through wine but no one  seems to
guaranty safety... Would IE installed on my Debian be less safe than
the one running in it's native environment? If yes, why would that be
so?

  
  

I wouldn't trust IE to do banking in any event.

Actually, I don't trust any internet banking.  I go to the bank, the
bank's machine, or I phone them.



I don't even trust ATMs if they run Windows.  Which pretty much
eliminates the possibility of me ever banking with Bank of America or
Wells Fargo.

  
  

Hey guys,

Thanks for your answers!
Although i really like my bank, I considered switching because of this
reason, but as far as I can tell, there is only one bank in Romania that
offers Internet Banking with Firefox :(, and I don't like it.
I'm thinking on mailing my bank on the issue... but I guess it won't
make any difference.
Oh well... a lot of people still think Linux is some fruit and Firefox
some weird animal :).

Best regards,




You can go with this issue to the EU commission and complain. I think the
right way is first to complain or search for help at the bank and make it
clear that you do not have alternatives then search for help from your
local consumer protection and rights organisation, however it might be
called in english or romanian and if they don't respond then write to the
commission that you are being blackmailed to use windows.

Unbelievable the story - and we are in the 21. century

thumbs up

regards


  


Hey,

Andrei, I didn't know that Unicredit Tiriac works with Firefox, I was 
meaning ING :D.


Emanoil, my bank is a Romanian one, Transilvania Bank, so I'm guessing 
you might not have heard of it :). But this Internet Explorer issue is 
not a singular case, I can name a lot of other banks that only support IE.
This is stupid! Any decent web developer would make his app work at 
least with IE,  Firefox and Safari ( my opinion )! I really don't 
understand why these, let's face it, hugely funded  internet banking 
applications restrict you to the weakest browser in the market. The guys 
developing them are paid big time and still they assume everybody uses 
the same crap and also they manage to fool the banks into believing 
them! Sad... :)


Best regards,
--

ing. Bogdan MARIAN
Timisoara, ROMANIA
E-mail: [EMAIL PROTECTED]
E-mail: [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Emanoil Kotsev]

Bogdan wrote:

> Paul Johnson wrote:
>> Douglas A. Tutty wrote:
>>   
>>> On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
>>>   
>>> 
 Although I don't like it, the bank i work with only offers Internet
 Banking that works only under Internet Explorer. So, unfortunately, if
 I want to check out my account I see myself obliged to boot Windows :(.
 I
 know that IE can be installed through wine but no one  seems to
 guaranty safety... Would IE installed on my Debian be less safe than
 the one running in it's native environment? If yes, why would that be
 so?
 
   
>>> I wouldn't trust IE to do banking in any event.
>>>
>>> Actually, I don't trust any internet banking.  I go to the bank, the
>>> bank's machine, or I phone them.
>>> 
>> I don't even trust ATMs if they run Windows.  Which pretty much
>> eliminates the possibility of me ever banking with Bank of America or
>> Wells Fargo.
>>
>>   
> Hey guys,
> 
> Thanks for your answers!
> Although i really like my bank, I considered switching because of this
> reason, but as far as I can tell, there is only one bank in Romania that
> offers Internet Banking with Firefox :(, and I don't like it.
> I'm thinking on mailing my bank on the issue... but I guess it won't
> make any difference.
> Oh well... a lot of people still think Linux is some fruit and Firefox
> some weird animal :).
> 
> Best regards,
> 

You can go with this issue to the EU commission and complain. I think the
right way is first to complain or search for help at the bank and make it
clear that you do not have alternatives then search for help from your
local consumer protection and rights organisation, however it might be
called in english or romanian and if they don't respond then write to the
commission that you are being blackmailed to use windows.

Unbelievable the story - and we are in the 21. century

thumbs up

regards


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Emanoil Kotsev]

Bogdan wrote:

> Hey,
> 
> Although I don't like it, the bank i work with only offers Internet
> Banking that works only under Internet Explorer. So, unfortunately, if I
> want to check out my account I see myself obliged to boot Windows :(. I
> know that IE can be installed through wine but no one  seems to guaranty
> safety... Would IE installed on my Debian be less safe than the one
> running in it's native environment? If yes, why would that be so?
> 
> Thanks,
> 

You are not talking serious!
Which is this bank?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Andrei Popescu]

On Sat,18.Oct.08, 20:12:53, Bogdan wrote:

> Thanks for your answers!
> Although i really like my bank, I considered switching because of this 
> reason, but as far as I can tell, there is only one bank in Romania that 
> offers Internet Banking with Firefox :(, and I don't like it.

Unicredit Țiriac works just fine with Firefox (Iceweasel). Did you mean 
some other bank?

> I'm thinking on mailing my bank on the issue... but I guess it won't make 
> any difference.

If you don't they won't even know we exist. 

> Oh well... a lot of people still think Linux is some fruit and Firefox some 
> weird animal :).

:)

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)


signature.asc
Description: Digital signature

Re: security question

[Carl Fink]

On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
>
> Although I don't like it, the bank i work with only offers Internet  
> Banking that works only under Internet Explorer. So, unfortunately, if I  
> want to check out my account I see myself obliged to boot Windows :(. I  
> know that IE can be installed through wine but no one  seems to guaranty  
> safety... Would IE installed on my Debian be less safe than the one  
> running in it's native environment? If yes, why would that be so?

One other possibility: install virtualbox-ose, and run an occasional Windows
session inside Debian when you need to bank.  That's what I do with some
specific software I need for my job.

Alternatives include Xen and VMWare Player.
-- 
Carl Fink   [EMAIL PROTECTED] 

Read my blog at blog.nitpicking.com.  Reviews!  Observations!
Stupid mistakes you can correct!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Osamu Aoki]

On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
> Hey,
>
> Although I don't like it, the bank i work with only offers Internet  
> Banking that works only under Internet Explorer. So, unfortunately, if I  
> want to check out my account I see myself obliged to boot Windows :(. I  
> know that IE can be installed through wine but no one  seems to guaranty  
> safety... Would IE installed on my Debian be less safe than the one  
> running in it's native environment? If yes, why would that be so?

I do not bother to install on Debian (If you know, please wrte howto
just for fun under wine.)

You can spoof user-agent string of your browser if that is the only
problem.  (You need java etc. to get their sites working though.) Many
sites uses such trick for no technical reason.

  
http://people.debian.org/~osamu/pub/getwiki/html/ch07.en.html#browserconfiguration

If you really need to access bank with Windows, please seek proper
protection measure elsewhere.  

Osamu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Ron Johnson]

On 10/18/08 11:51, Bogdan wrote:

Hey,

Although I don't like it, the bank i work with only offers Internet 
Banking that works only under Internet Explorer. So, unfortunately, if I 
want to check out my account I see myself obliged to boot Windows :(. I 
know that IE can be installed through wine but no one  seems to guaranty 
safety...


What do you mean by "no one guarantees safety"?  No one can *ever* 
guarantee the perfect safety of *any* software, especially complex 
software like Firefox.


   Would IE installed on my Debian be less safe than the one 
running in it's native environment? If yes, why would that be so?


Try the User Agent Switcher addon to make Iceweasel pretend that 
it's IE6.  It might not work (especially if the Bank uses an ActiveX 
extension), but it's worth a try.


If that doesn't work, try IE6 under Wine.  Or change banks, if possible.

--
Ron Johnson, Jr.
Jefferson LA  USA

Help a man when he is in trouble and he will remember you when
he is in trouble again.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Bogdan]

Paul Johnson wrote:

Douglas A. Tutty wrote:
  

On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
  

Although I don't like it, the bank i work with only offers Internet 
Banking that works only under Internet Explorer. So, unfortunately, if I 
want to check out my account I see myself obliged to boot Windows :(. I 
know that IE can be installed through wine but no one  seems to guaranty 
safety... Would IE installed on my Debian be less safe than the one 
running in it's native environment? If yes, why would that be so?

  

I wouldn't trust IE to do banking in any event.

Actually, I don't trust any internet banking.  I go to the bank, the
bank's machine, or I phone them.


I don't even trust ATMs if they run Windows.  Which pretty much
eliminates the possibility of me ever banking with Bank of America or
Wells Fargo.

  

Hey guys,

Thanks for your answers!
Although i really like my bank, I considered switching because of this 
reason, but as far as I can tell, there is only one bank in Romania that 
offers Internet Banking with Firefox :(, and I don't like it.
I'm thinking on mailing my bank on the issue... but I guess it won't 
make any difference.
Oh well... a lot of people still think Linux is some fruit and Firefox 
some weird animal :).


Best regards,

--
ing. Bogdan MARIAN
Timisoara, ROMANIA
E-mail: [EMAIL PROTECTED]
E-mail: [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security question

[Paul Johnson]

Douglas A. Tutty wrote:
> On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
>   
>> Although I don't like it, the bank i work with only offers Internet 
>> Banking that works only under Internet Explorer. So, unfortunately, if I 
>> want to check out my account I see myself obliged to boot Windows :(. I 
>> know that IE can be installed through wine but no one  seems to guaranty 
>> safety... Would IE installed on my Debian be less safe than the one 
>> running in it's native environment? If yes, why would that be so?
>> 
>
> I wouldn't trust IE to do banking in any event.
>
> Actually, I don't trust any internet banking.  I go to the bank, the
> bank's machine, or I phone them.
I don't even trust ATMs if they run Windows.  Which pretty much
eliminates the possibility of me ever banking with Bank of America or
Wells Fargo.



signature.asc
Description: OpenPGP digital signature

Re: security question

[Paul Johnson]

Bogdan wrote:
> Although I don't like it, the bank i work with only offers Internet
> Banking that works only under Internet Explorer. 
Time to switch banks, and tell them why.




signature.asc
Description: OpenPGP digital signature

Re: security question

[Douglas A. Tutty]

On Sat, Oct 18, 2008 at 07:51:38PM +0300, Bogdan wrote:
> Although I don't like it, the bank i work with only offers Internet 
> Banking that works only under Internet Explorer. So, unfortunately, if I 
> want to check out my account I see myself obliged to boot Windows :(. I 
> know that IE can be installed through wine but no one  seems to guaranty 
> safety... Would IE installed on my Debian be less safe than the one 
> running in it's native environment? If yes, why would that be so?

I wouldn't trust IE to do banking in any event.

Actually, I don't trust any internet banking.  I go to the bank, the
bank's machine, or I phone them.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Scott Gifford]

Douglas Allan Tutty <[EMAIL PROTECTED]> writes:

> On Sun, Jun 03, 2007 at 12:50:51AM -0400, Scott Gifford wrote:
>> Douglas Allan Tutty <[EMAIL PROTECTED]> writes:
>> > On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote:
>> >> Postgres completely fell apart, and it took many hours to piece things
>> >> back together.
>> >
>> > Did you have a postgres dump just prior to the upgrade?  In what way did
>> > it fall apart?  What did you have to do to piece things back together;
>> > didn't restoring from the dump work?
>> 
>> The data was OK, but it lost all the user accounts.  It's been a few
>> months now and my memory is a bit hazy, but IIRC, the format of the
>> Postgres password file changed between versions.
>
> I thought that a pg_dumpall would dump all the users with their
> passwords so that when the dump was run by the new version, the file
> would be created correctly from the data in the dump.  I thought that
> was the whole reason for doing a pg_dump rather than just backing up the
> postgres home directory with it stopped.

I believe it dumped the passwords, but didn't upgrade them properly
when they were restored.  I don't know exactly what happened, though,
unfortunately; I was too busy fixing things to keep detailed notes.
:-)

Scott.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Douglas Allan Tutty]

On Sun, Jun 03, 2007 at 12:50:51AM -0400, Scott Gifford wrote:
> Douglas Allan Tutty <[EMAIL PROTECTED]> writes:
> > On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote:
> >> Postgres completely fell apart, and it took many hours to piece things
> >> back together.
> >
> > Did you have a postgres dump just prior to the upgrade?  In what way did
> > it fall apart?  What did you have to do to piece things back together;
> > didn't restoring from the dump work?
> 
> The data was OK, but it lost all the user accounts.  It's been a few
> months now and my memory is a bit hazy, but IIRC, the format of the
> Postgres password file changed between versions.

I thought that a pg_dumpall would dump all the users with their
passwords so that when the dump was run by the new version, the file
would be created correctly from the data in the dump.  I thought that
was the whole reason for doing a pg_dump rather than just backing up the
postgres home directory with it stopped.

Doug.

 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Scott Gifford]

Douglas Allan Tutty <[EMAIL PROTECTED]> writes:

> On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote:
>> Andrew Sackville-West <[EMAIL PROTECTED]> writes:
>> > On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote:
>> >> Kamaraju S Kusumanchi <[EMAIL PROTECTED]> writes:
>> >> Our upgrade from Woody to Sarge was so disastrous, I will need more
>> >> time for this client to forget about it before I can propose another
>> >> upgrade.  :-)
>> >
>> > what were the woody -> sarge issues? perhaps they've been addressed...
>> 
>> Postgres completely fell apart, and it took many hours to piece things
>> back together.
>
> Did you have a postgres dump just prior to the upgrade?  In what way did
> it fall apart?  What did you have to do to piece things back together;
> didn't restoring from the dump work?

The data was OK, but it lost all the user accounts.  It's been a few
months now and my memory is a bit hazy, but IIRC, the format of the
Postgres password file changed between versions.  When the upgrade
failed (probably because of our unusual Postgres configuration), the
password file had to be re-created by hand.  Which all sounds pretty
straightforward, except there weren't any clear messages to indicate
this, and it took me quite a few hours to figure out the problem.  The
change in the file format wasn't documented clearly anywhere that I
could find, which I found very frustrating.  Eventually we found the
problem, deleted the password file, and re-created the accounts by
hand (fortunately nobody took our advice to reset their password), but
our server was down for several hours.

There were also a bunch of changes to PHP that wreaked havoc for us.
We were running PHP through CGI (not embedded in the Web server), and
Sarge changed how all that worked, and broke all of our existing
configurations.

If the server hadn't been down and I'd had a paper and pen, I would
have kept better track of exactly what happened.  :-)

This is the only upgrade to Sarge I did that had significant problems,
but I will admit the experience left me much less confident in the
upgrade process.

Scott.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Douglas Allan Tutty]

On Fri, Jun 01, 2007 at 12:07:23AM -0400, Scott Gifford wrote:
> Andrew Sackville-West <[EMAIL PROTECTED]> writes:
> > On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote:
> >> Kamaraju S Kusumanchi <[EMAIL PROTECTED]> writes:
> >> Our upgrade from Woody to Sarge was so disastrous, I will need more
> >> time for this client to forget about it before I can propose another
> >> upgrade.  :-)
> >
> > what were the woody -> sarge issues? perhaps they've been addressed...
> 
> Postgres completely fell apart, and it took many hours to piece things
> back together.

Did you have a postgres dump just prior to the upgrade?  In what way did
it fall apart?  What did you have to do to piece things back together;
didn't restoring from the dump work?

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Scott Gifford]

Andrew Sackville-West <[EMAIL PROTECTED]> writes:

> On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote:
>> Kamaraju S Kusumanchi <[EMAIL PROTECTED]> writes:

[...]

>> > BTW, is upgrade to Etch from Sarge not an option in your case? 
>> 
>> Our upgrade from Woody to Sarge was so disastrous, I will need more
>> time for this client to forget about it before I can propose another
>> upgrade.  :-)
>> 
>
> what were the woody -> sarge issues? perhaps they've been addressed...

Postgres completely fell apart, and it took many hours to piece things
back together.

-Scott.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Andrew Sackville-West]

On Wed, May 30, 2007 at 12:23:46AM -0400, Scott Gifford wrote:
> Kamaraju S Kusumanchi <[EMAIL PROTECTED]> writes:
> 
> > Scott Gifford wrote:
> >
> >
> >> CVE-2006-0225OpenSSH Local SCP Shell Command Execution
> >>From /usr/share/doc/openssh-server/changelog.Debian.gz on Debian Etch
> > machine running openessh-server 4.3p2-9, this was fixed in 1:4.3p2-1
> 
> Thanks, from the bug tracking database it looks like this wasn't
> addressed for Sarge (see bug 349645), which is unfortunate.
> 
> > No idea about other stuff.
> >
> > BTW, is upgrade to Etch from Sarge not an option in your case? 
> 
> Our upgrade from Woody to Sarge was so disastrous, I will need more
> time for this client to forget about it before I can propose another
> upgrade.  :-)
> 

what were the woody -> sarge issues? perhaps they've been addressed...

A


signature.asc
Description: Digital signature

Re: Security question: are these vulnerabilities addressed?

[Scott Gifford]

Kamaraju S Kusumanchi <[EMAIL PROTECTED]> writes:

> Scott Gifford wrote:
>
>
>> CVE-2006-0225OpenSSH Local SCP Shell Command Execution
>>From /usr/share/doc/openssh-server/changelog.Debian.gz on Debian Etch
> machine running openessh-server 4.3p2-9, this was fixed in 1:4.3p2-1

Thanks, from the bug tracking database it looks like this wasn't
addressed for Sarge (see bug 349645), which is unfortunate.

> No idea about other stuff.
>
> BTW, is upgrade to Etch from Sarge not an option in your case? 

Our upgrade from Woody to Sarge was so disastrous, I will need more
time for this client to forget about it before I can propose another
upgrade.  :-)

> Sarge is old and Etch is the new stable version.

"old" is perhaps a bit strong of a word for a release that was
state-of-the-art as of about 7 weeks ago, and is still supported for
another 10 months...

---Scott.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question: are these vulnerabilities addressed?

[Kamaraju S Kusumanchi]

Scott Gifford wrote:


> CVE-2006-0225OpenSSH Local SCP Shell Command Execution
>From /usr/share/doc/openssh-server/changelog.Debian.gz on Debian Etch
machine running openessh-server 4.3p2-9, this was fixed in 1:4.3p2-1

No idea about other stuff.

BTW, is upgrade to Etch from Sarge not an option in your case? Sarge is old
and Etch is the new stable version.

raju
-- 
Kamaraju S Kusumanchi
http://www.people.cornell.edu/pages/kk288/
http://malayamaarutham.blogspot.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: security question (sshd log)

[Steven Jones]

Is your sshd setup to protocol 2 only? I would suggest seting it up so it is.

regards

thing

-Original Message-
From: Tarapia Tapioco [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 3 November 2004 11:29 a.m.
To: [EMAIL PROTECTED]
Subject: security question (sshd log)


I found the following entries in my auth.log file:

sshd[22774]: scanned from 68.147.18.131 with SSH-1.0-SSH_Version_Mapper.  Don't panic.
sshd[22773]: Did not receive identification string from 68.147.18.131

What do they mean, and should I panic or not?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question

[ScruLoose]

On Sat, Dec 06, 2003 at 06:36:55PM -0500, Roberto Sanchez wrote:
> At the risk of starting a flamefest, what is a good IDS?  I ask because
> the recent compromises have got me thinking.  I have a couple of
> web/mail servers I am adminning at school, and I really have no way of
> knowing if they have been 0wn3d.  I (poorly) check the logs every 2 to 4
> weeks, but that doesn't seem like enough.
> 
> What does everyone else use?  (BTW, my servers run stable.)

I use integrit, and it seems to come with fairly smart options.
Definitely read the docs that come with it and decide what level of
paranoia you want:

eg: for low paranoia you can go with the default setup where everything
goes on the HD ... for medium paranoia, put the checksum database on a
read-only network share or a CD ... for high paranoia, put the
executable itself on a read-only medium as well... etc

Also you'll want to make some decisions about what directories it should
ignore, and what to scan... no need to spend hours of processor time
generating checksums for the MP3 collection...

Cheers!
-- 
---<>---
I'm empty and aching and I don't know why.
- Simon and Garfunkel
--<>--


pgp0.pgp
Description: PGP signature

Re: Security question

[Alvin Oga]

On Sat, 6 Dec 2003, Scott C. Linnenbringer wrote:

> On Sat, Dec 06, 2003, at 17:27 -0800, Alvin Oga wrote: 
> 
> > i say, if your ids does find an intruder .. game over ... too late ..
> 
> Unless *you* don't know you're harboring an intruder...

yes... know people that had a cracker in their servers
for months and never noticed ...

they figured out something was wrong when they start
getting  spam complaints.. for spam they never sent
- thats a guranteed IDS system that works
if the cracker sends spam w/ your return email addy

if they got in, game is still over ... even if they are 
idling in the server, and collecting other machines .. 
and than launch the attaack to where ever they were going after
- fairly common thing for them to do

- installing ("i'm gonna hide myself") root kits seems 
  really dumb idea since any useful ids will notice the 
  changes in the system
- all the cracker wants to know is that the exploit worked
on the ip# 1.2.3.4 and keep track of the vulnerable
machines and than when the time comes .. if you
dont get caught first to go play later ..

- so use a different ip# everyday/every hour and
confuse um .. :-)

- imho... instead of worrying about ids..
- i'd rather read stuff on how to minimize the damage
the cracker can do  ...
- if they crack one box, thats gone, but all
other servers keeps happily chugging along
- protect your data as much as possible )

- allowing passwdless logins are bad idea ...
as they can break one box and have free access
all of the rest of your passwdless boxes

- you should require a DIFFERENT key phrase to
also be required to the other boxes


- lots of fun stuff to play with and think about ...

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security question

[Scott C. Linnenbringer]

On Sat, Dec 06, 2003, at 17:27 -0800, Alvin Oga wrote: 

> i say, if your ids does find an intruder .. game over ... too late ..

Unless *you* don't know you're harboring an intruder...


-- 
scott c. linnenbringer|   [EMAIL PROTECTED]
http://www.panix.com/~sl  |  [EMAIL PROTECTED]



pgp0.pgp
Description: PGP signature

Re: Security question

[Alvin Oga]

hi ya roberto

On Sat, 6 Dec 2003, Roberto Sanchez wrote:

> At the risk of starting a flamefest, what is a good IDS?  I ask because
> the recent compromises have got me thinking.  I have a couple of
> web/mail servers I am adminning at school, and I really have no way of
> knowing if they have been 0wn3d.  I (poorly) check the logs every 2 to 4
> weeks, but that doesn't seem like enough.
> 
> What does everyone else use?  (BTW, my servers run stable.)

as they say ... start turning thingz off first ...
- tighten your box to minimize the chances of a breakin
as oppose to worrying about detecting the breakin

i say, if your ids does find an intruder .. game over ... too late ..

c ya
alvin

hardening your debian servers..
http://www.debian.org/doc/manuals/securing-debian-howto/
http://www.Linux-Sec.net/Harden/

- upload your html pages to your webserver from your
internal webserver ... ( your backup of the webserver )

- not worth it to backup /var/spool/mail/{users}
- use secure pop3, secure imap ...
- make sure [EMAIL PROTECTED] uses johnssh as 
his pop3/imap/ssh login

- keep mail servers separate from web servers

- gazillion things to do ...

- which ids ...
- tripwire ... too much info ...to big
- aide ...

- save a copy offline of your binaries and libs
to a 2nd disk and diff them regularly/automatically

- send yourself an email if it doesnt match
and dont ignore those mails
( fix the false positive )

- reading logs is not worth the effort ... but if you like
- logcheck
- snort
http://www.Linux-Sec.net/Logger/

- on and on ..



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Rob Weir]

On Fri, Jan 03, 2003 at 12:27:34PM -0800, John Gedeon wrote:
> Thanks for all the help Colin,
> 
>   I will try that as soon as I get the chance.

Another thought: Are they using any sort of reasonably standard VPN?
There're a few different ipsec-based vpn packages in Debian, including
FreeSwan and openvpn.  Perhaps you could get one of them to work with
your companies system?

-rob



msg22508/pgp0.pgp
Description: PGP signature

Re: Security Question

[John Gedeon]

Thanks for all the help Colin,

  I will try that as soon as I get the chance.

John

At 12:16 PM 1/3/2003, you wrote:

On Fri, Jan 03, 2003 at 11:25:32AM -0800, John Gedeon wrote:
> Thanks Colin for all the info.
> Here is the header stuff on PBINDING but i think its a waste of time to
> debug their stuff any further. I think I will try to downgrade to their
> version of glibc and try it.

Oh, I think I might know what's going on. No, don't downgrade glibc.
Current glibc is compiled against the kernel headers from Linux 2.4, not
Linux 2.2, and 2.4 no longer has a 'struct device' (it seems to be
called 'struct net_device' now). Since you're compiling something that
needs to know about details of a particular kernel version, you need to
compile it against the headers from that kernel, not glibc. Say you have
2.2.whatever kernel source unpacked in /path/to/some/directory (and have
configured it and run 'make dep' there); then make sure you compile with
the '-I/path/to/some/directory/include' compiler option.

> (is glibc mean gnu libc?? because they said they weren't sure that the
> gnu c libs were compatible with redhat which just confused me.)

Red Hat uses the GNU C Library too.

Cheers,

--
Colin Watson  [[EMAIL PROTECTED]]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on 
your own understanding;"


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Colin Watson]

On Fri, Jan 03, 2003 at 11:25:32AM -0800, John Gedeon wrote:
> Thanks Colin for all the info.
> Here is the header stuff on PBINDING but i think its a waste of time to 
> debug their stuff any further. I think I will try to downgrade to their 
> version of glibc and try it.

Oh, I think I might know what's going on. No, don't downgrade glibc.
Current glibc is compiled against the kernel headers from Linux 2.4, not
Linux 2.2, and 2.4 no longer has a 'struct device' (it seems to be
called 'struct net_device' now). Since you're compiling something that
needs to know about details of a particular kernel version, you need to
compile it against the headers from that kernel, not glibc. Say you have
2.2.whatever kernel source unpacked in /path/to/some/directory (and have
configured it and run 'make dep' there); then make sure you compile with
the '-I/path/to/some/directory/include' compiler option.

> (is glibc mean gnu libc?? because they said they weren't sure that the
> gnu c libs were compatible with redhat which just confused me.)

Red Hat uses the GNU C Library too.

Cheers,

-- 
Colin Watson  [[EMAIL PROTECTED]]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[John Gedeon]

Thanks Colin for all the info.
Here is the header stuff on PBINDING but i think its a waste of time to 
debug their stuff any further. I think I will try to downgrade to their 
version of glibc and try it. (is glibc mean gnu libc?? because they said 
they weren't sure that the gnu c libs were compatible with redhat which 
just confused me.)

ps how does one get earlier versions of things with dselect?

typedef struct {
/*desription of the device */
struct device *pDevice;
struct packet_type *pPT;
int (*InjectReceive) (struct sk_buff *, struct device *,
  struct packet_type *);
int (*InjectSend) (struct sk_buff * skb, struct device * dev);
int original_mtu;
struct dst_entry *dst;

BOOL injectSendCalled;
BOOL injectRecvCalled;
inject_status send_stat;
inject_status recv_stat;
} BINDING, *PBINDING;

Thanks again
John

At 11:08 AM 1/3/2003, you wrote:
On Fri, Jan 03, 2003 at 11:03:36AM -0800, John Gedeon wrote:

> >> > I get the following compile time errors: linuxcniapi.c: In
> >> > function `CNI_LINUXGetMacAddress': linuxcniapi.c:1118:
> >> > dereferencing pointer to incomplete type linuxcniapi.c:1120:
> >
> >Can we see a few lines of code around those locations in that file?
>
> lines 1107 - 1128
>
> PBINDING pBinding;
>
> if (!Binding)
> return CNI_E_BAD_BINDING;
>
> pBinding = (PBINDING) Binding;
>
> if (!ppMacAddress || !pulMacAddressSize)
> return CNI_E_BAD_PARAMETER;
>
>
> *ppMacAddress = pBinding->pDevice->dev_addr;   // 1118

That suggests to me that some header file is not being properly included
at the top of linuxcniapi.c. I don't know which without knowing what
PBINDING expands to, though (it'll be a #define or a typedef for some
other type).

--
Colin Watson  [[EMAIL PROTECTED]]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on 
your own understanding;"


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Colin Watson]

On Fri, Jan 03, 2003 at 11:03:36AM -0800, John Gedeon wrote:

> >> > I get the following compile time errors: linuxcniapi.c: In
> >> > function `CNI_LINUXGetMacAddress': linuxcniapi.c:1118:
> >> > dereferencing pointer to incomplete type linuxcniapi.c:1120:
> >
> >Can we see a few lines of code around those locations in that file?
> 
> lines 1107 - 1128
> 
> PBINDING pBinding;
> 
> if (!Binding)
> return CNI_E_BAD_BINDING;
> 
> pBinding = (PBINDING) Binding;
> 
> if (!ppMacAddress || !pulMacAddressSize)
> return CNI_E_BAD_PARAMETER;
> 
> 
> *ppMacAddress = pBinding->pDevice->dev_addr;   // 1118

That suggests to me that some header file is not being properly included
at the top of linuxcniapi.c. I don't know which without knowing what
PBINDING expands to, though (it'll be a #define or a typedef for some
other type).

-- 
Colin Watson  [[EMAIL PROTECTED]]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[John Gedeon]

> > I get the following compile time errors: linuxcniapi.c: In
> > function `CNI_LINUXGetMacAddress': linuxcniapi.c:1118:
> > dereferencing pointer to incomplete type linuxcniapi.c:1120:

Can we see a few lines of code around those locations in that file?


lines 1107 - 1128

PBINDING pBinding;

if (!Binding)
return CNI_E_BAD_BINDING;

pBinding = (PBINDING) Binding;

if (!ppMacAddress || !pulMacAddressSize)
return CNI_E_BAD_PARAMETER;


*ppMacAddress = pBinding->pDevice->dev_addr;   // 1118

if(ippp_dev(pBinding->pDevice)||(pBinding->pDevice->hard_header_len == 
4)){  //1120
*pulMacAddressSize = 
ETH_ALEN;  // 1121
}
else if (pBinding->pDevice->hard_header_len == ETH_HLEN) {
*pulMacAddressSize = pBinding->pDevice->addr_len;
}

return CNI_SUCCESS;
}



--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on 
your own understanding;"


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question - .config

[Mike Dresser]

On Fri, 3 Jan 2003, Alvin Oga wrote:

> On Fri, 3 Jan 2003, Colin Watson wrote:
>
> > On Fri, Jan 03, 2003 at 08:54:27AM -0800, John Gedeon wrote:
> > > I had another question that is related to my IT guys response:
> > >When I compiled their vpn client, it was looking for modversions.h
> > > which I found you had to run make old-config (not sure of exact command) to
> > > get the source to generate that file.
> >
> > 'make dep' is enough, I think.
>
> think you might wanna try
>   cd /usr/local/src/linux-2.4.19
>   mv .config .config.xxx
>   make oldconfig   ( should be your current kernel's config )
>   make dep ; make clean ; make bzlilo ... blah
>
> c ya
> alvin

He's compiling a VPN client, not the kernel though.

Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question - .config

[Alvin Oga]

On Fri, 3 Jan 2003, Colin Watson wrote:

> On Fri, Jan 03, 2003 at 08:54:27AM -0800, John Gedeon wrote:
> > I had another question that is related to my IT guys response:
> >When I compiled their vpn client, it was looking for modversions.h 
> > which I found you had to run make old-config (not sure of exact command) to 
> > get the source to generate that file.
> 
> 'make dep' is enough, I think.

think you might wanna try
cd /usr/local/src/linux-2.4.19
mv .config .config.xxx
make oldconfig   ( should be your current kernel's config )
make dep ; make clean ; make bzlilo ... blah

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[John Gedeon]

At 09:01 AM 1/3/2003, you wrote:

On Fri, Jan 03, 2003 at 08:54:27AM -0800, John Gedeon wrote:
> I had another question that is related to my IT guys response:
>When I compiled their vpn client, it was looking for modversions.h
> which I found you had to run make old-config (not sure of exact 
command) to
> get the source to generate that file.

'make dep' is enough, I think.

I assume make dep makes the current dependencies?

From my research online it said that modversions.h was going to be 
obsoleted and in my look
through the source files for my kernel I didn't find it.

John



--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on 
your own understanding;"


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[John Gedeon]

At 09:01 AM 1/3/2003, Colin wrote:

*ahem*

I *really* wouldn't bother trying to convince them. It's not worth
fighting with people like that.


Okay I will keep that in mind thanks 4 the tip :)



Can we see a few lines of code around those locations in that file?


If there doesn't seem to be any proprietary stuff I will surely post it to 
the list. But I have to check first.
(I don't want to be in trouble for compromising the companies vpn but I 
don't see it as a problem
 since you would need authentication codes.)

John


--
<>< Proverbs 3:5 "Trust in the Lord with all your heart and lean not on 
your own understanding;"


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Colin Watson]

On Fri, Jan 03, 2003 at 08:54:27AM -0800, John Gedeon wrote:
> I had another question that is related to my IT guys response:
>When I compiled their vpn client, it was looking for modversions.h 
> which I found you had to run make old-config (not sure of exact command) to 
> get the source to generate that file.

'make dep' is enough, I think.

> Once I did that I got tons of compile errors in their code. When I
> approached them about it they told me that they only tested it on Red
> Hat 6.2 with glibc 2.1.1-6 with kernel 2.2.12 and claimed any
> compatible versions will work. (that's also when they said that Debian
> was a beta OS)

*ahem*

I *really* wouldn't bother trying to convince them. It's not worth
fighting with people like that.

>   My installation of Debian is with kernel 2.2.20, I have libstdc 
> 2.10-glibc2.2 installed and they claim that glibc 2.1.1-6 or higher will 
> work. They told me to make sure that my glibc was compatible with Red 
> Hat's, I figured they were the same but wanted to know if that was true.

There have been plenty of changes in newer versions of glibc. Sometimes
code has to change to cope. Usually, though, it's just changing to be
more correct. Compatibility problems between the same version of glibc
in different distributions are rare, though, and claiming that as a
first response to a problem is foolish.

> > I get the following compile time errors: linuxcniapi.c: In
> > function `CNI_LINUXGetMacAddress': linuxcniapi.c:1118:
> > dereferencing pointer to incomplete type linuxcniapi.c:1120:

Can we see a few lines of code around those locations in that file?

-- 
Colin Watson  [[EMAIL PROTECTED]]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[John Gedeon]

Thanks for all the input guys, it has been very helpful.
Didn't mean to sound like a troll or start any flames, just wanted to be 
sure that my IT people were as misinformed as I thought they were (I am 
biased towards Debian when I pick linux flavors but I wanted to be sure my 
bias had some backing ;) ). I will let them know of their mis-understanding.

I had another question that is related to my IT guys response:
   When I compiled their vpn client, it was looking for modversions.h 
which I found you had to run make old-config (not sure of exact command) to 
get the source to generate that file. Once I did that I got tons of compile 
errors in their code. When I approached them about it they told me that 
they only tested it on Red Hat 6.2 with glibc 2.1.1-6 with kernel 2.2.12 
and claimed any compatible versions will work. (that's also when they said 
that Debian was a beta OS)  In my shock I started my own research

  My installation of Debian is with kernel 2.2.20, I have libstdc 
2.10-glibc2.2 installed and they claim that glibc 2.1.1-6 or higher will 
work. They told me to make sure that my glibc was compatible with Red 
Hat's, I figured they were the same but wanted to know if that was true.

  I have done some looking but don't really know where to start. I was 
wondering if any of you had compile issues with programs written in c which 
compile on Red Hat but not on Debian? Below is an excerpt of the errors I 
get (i didn't want to list them all since this email is long enough. and 
all the errors are of the same type just different locations).

> I get the following compile time errors: linuxcniapi.c: In
> function `CNI_LINUXGetMacAddress': linuxcniapi.c:1118:
> dereferencing pointer to incomplete type linuxcniapi.c:1120:
> dereferencing pointer to incomplete type linuxcniapi.c:1123:
> dereferencing pointer to incomplete type linuxcniapi.c:1124:
> dereferencing pointer to incomplete type linuxcniapi.c: In
> function `CNI_LINUXGetMacName': linuxcniapi.c:1175:
> dereferencing pointer to incomplete type linuxcniapi.c: In
> function `CNI_LINUXInjectReceive': linuxcniapi.c:1293:
> dereferencing pointer to incomplete type linuxcniapi.c:1300:
> warning: assignment from incompatible pointer type
> linuxcniapi.c:1302: dereferencing pointer to incomplete type
> linuxcniapi.c:1305: dereferencing pointer to incomplete type

Thanks for any input you guys can offer.
John


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Rob VanFleet]

> John Gedeon wrote:
> 
> >  I have Debian installed on my home computer (3.0 stable version) I want 
> > to use it to remote login in to work, however the people in charge of the 
> > remote logins (IT) at my work say that Debian has lots of security holes. I 
> > was wondering what security holes Debian may have (especially in comparison 
> > to Red Hat) if any. And if any of those cannot be taken care of. They also 
> > claimed that Debian isn't stable in comparison to Red Hat, Is Red Hat more 
> > stable? From what I have read and understand Debian is very stable and 
> > secure (at least it is equivalent in security and stability to Red Hat). Is 
> > this true?
> > 
> >   I am asking for this information so that I have more backing when I tell 
> > the IT people here that Debian as good if not better than Red Hat. I would 
> > prefer to use Debian.

It just sounds like your IT people haven't looked into Debian very much,
if at all.  Odds are that if they actually did, then they probably did
something like run Nessus (or something similar) on a Debian machine
that checks for security holes merely by obtaining version numbers,
which is less than reliable.  Explain to them that Debian backports
security fixes into the version existing in stable, if possible, rather
than introduce an entirely new version into the distribution.  That
conservative philosophy involving the introduction of new package
versions should say enough about Debian's stability.

Rob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Noah L. Meyerhans]

On Thu, Jan 02, 2003 at 03:39:22PM -0800, John Gedeon wrote:
>  I have Debian installed on my home computer (3.0 stable version) I want 
> to use it to remote login in to work, however the people in charge of the 
> remote logins (IT) at my work say that Debian has lots of security holes. 

It's unfortunate that people hold such uninformed and biased opionions.
The fact is that the Debian security team coordinates security updates
with Redhat and other Linux distributors and typically releases package
updates at exactly the same time as Redhat.  Can your IT people point to
specifics, or are they just arguing based on an irrational belief?  I
find that the most common misconception is that people believe that a
company is more capable of producing secure software than a non profit
organisation.  Perhaps that's what they're thinking.

> They also claimed that Debian isn't stable in comparison to Red Hat,
> Is Red Hat more stable? From what I have read and understand Debian is
> very stable and secure (at least it is equivalent in security and
> stability to Red Hat). Is this true?

I would actually claim that Debian is more likely to be stable.  Redhat
patches their kernel heavily.  Debian, OTOH, sticks to mostly stock
kernels with few modifications.  Since we stick to the real, officially
maintained Linux kernel source, it's more likely that our kernels
consist only of well tested code that is known to interoperate well.  I
don't think Redhat can make that claim.  Of course, this argument is
irrelevant if you build your own kernels from kernel.org under Redhat.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg22086/pgp0.pgp
Description: PGP signature

Re: Security Question

[Colin Watson]

On Thu, Jan 02, 2003 at 03:39:22PM -0800, John Gedeon wrote:
>  I have Debian installed on my home computer (3.0 stable version) I want 
> to use it to remote login in to work, however the people in charge of the 
> remote logins (IT) at my work say that Debian has lots of security holes. I 
> was wondering what security holes Debian may have (especially in comparison 
> to Red Hat) if any. And if any of those cannot be taken care of. They also 
> claimed that Debian isn't stable in comparison to Red Hat, Is Red Hat more 
> stable? From what I have read and understand Debian is very stable and 
> secure (at least it is equivalent in security and stability to Red Hat). Is 
> this true?

It sounds like your IT people are just biased. As such, it may not be
worth your while trying to convince them. Suffice it to say that, if
Debian is less stable and secure than Red Hat, nobody's told us about
it, and when I listen in on conversations among clued-up sysadmins I
never hear such complaints. There may well be other complaints, but
stability and security aren't among them; quite the opposite, in fact.

An anecdote may serve: the Debian security team once informed me about a
security hole in one of my packages (groff), about which Red Hat had
recently issued an advisory. It turned out that the problem had been
fixed in Debian over five months beforehand, and so we had been able to
forget that the problem ever existed before they got round to fixing it.

(This is judging from my mail archives - I may be a month or two out
either way, but that's the gist.)

-- 
Colin Watson  [[EMAIL PROTECTED]]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Alvin Oga]

hi ya john

On Thu, 2 Jan 2003, Jamin W. Collins wrote:

> While this message screams troll, there's the possiblity your question
> is legit.

yuppers.. 
 
> On Thu, Jan 02, 2003 at 03:39:22PM -0800, John Gedeon wrote:
> > > I have Debian installed on my home computer (3.0 stable version) I
> > want to use it to remote login in to work, however the people in
> > charge of the remote logins (IT) at my work say that Debian has lots
> > of security holes. 
> 
> Is Debian free of potential sercurity holes, no.  Is _any_ software free
> of security holes, extremely doubtful. 
>  
> > I was wondering what security holes Debian may have (especially in
> > comparison to Red Hat) if any. And if any of those cannot be taken
> > care of.
> 
> None that I'm aware of.
> 
> > They also claimed that Debian isn't stable in comparison to Red Hat,
> > Is Red Hat more stable? 
> 
> Not in my experience.  Additionally, I find Debian much easier to
> maintain and update.

"depends" on your defition of "stable"...
- if you mean each time yu install rh or deb you get exactly
the same thing ... than you should install from cdrom

- if you mean "unstable/testing" branch of debian vs released
copies of redhat  
- that's not the same thing .. not a legit comparason
( regular users dont get access to redhat's testing tree )

> > I am asking for this information so that I have more backing when I
> > tell the IT people here that Debian as good if not better than Red
> > Hat. I would prefer to use Debian.

for security statistics ... one has to normalize number of hacked
redhat machines w/ its installed base ... and similarly for debian
and than compare percentages of "[cr/h]acked boxes"...
-
- a relaxed "security admin policy" is usually the first culprit
-

- see if any of these sounds like your environment
top 20 security problems...
http://www.sans.org/top20

top 7 management mistakes...
http://www.sans.org/newlook/resources/errors.htm

top-10 attacks around the world
http://www.dshield.org

when one says that x is better than y  i start up with:

i start from, all linux distro is ausually exactly the same..
( different versions ... older vs latest/greates issue...
( latest being better since its fixed knowns buggs
( latest besing worst, as it might have new bugs
- same kernel
- same bash
- same apache
- same exim/sendmail
- same glibc
- same 10,000 packages

what makes each linux distro different
- the gui for the user to install the selected/desired apps
- the way if any for updating the installed system w/ patches


commercial entities need to generate revenue !!!
- you do that by getting $300/incident tech support phone calls
- things that used to work... breaks in the next release ...
  no reason for that except ... :-)


c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Jamin W. Collins]

While this message screams troll, there's the possiblity your question
is legit.

On Thu, Jan 02, 2003 at 03:39:22PM -0800, John Gedeon wrote:

> I have Debian installed on my home computer (3.0 stable version) I
> want to use it to remote login in to work, however the people in
> charge of the remote logins (IT) at my work say that Debian has lots
> of security holes. 

Is Debian free of potential sercurity holes, no.  Is _any_ software free
of security holes, extremely doubtful. 
 
> I was wondering what security holes Debian may have (especially in
> comparison to Red Hat) if any. And if any of those cannot be taken
> care of.

None that I'm aware of.

> They also claimed that Debian isn't stable in comparison to Red Hat,
> Is Red Hat more stable? 

Not in my experience.  Additionally, I find Debian much easier to
maintain and update.

> I am asking for this information so that I have more backing when I
> tell the IT people here that Debian as good if not better than Red
> Hat. I would prefer to use Debian.

Sounds like the members of your IT department (or at least those you've
spoken with) are just biased.  I would ask them to provide a basis for
their statements.

-- 
Jamin W. Collins


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security Question

[Craig Dickson]

John Gedeon wrote:

>  I have Debian installed on my home computer (3.0 stable version) I want 
> to use it to remote login in to work, however the people in charge of the 
> remote logins (IT) at my work say that Debian has lots of security holes. I 
> was wondering what security holes Debian may have (especially in comparison 
> to Red Hat) if any. And if any of those cannot be taken care of. They also 
> claimed that Debian isn't stable in comparison to Red Hat, Is Red Hat more 
> stable? From what I have read and understand Debian is very stable and 
> secure (at least it is equivalent in security and stability to Red Hat). Is 
> this true?
> 
>   I am asking for this information so that I have more backing when I tell 
> the IT people here that Debian as good if not better than Red Hat. I would 
> prefer to use Debian.

The IT people at your workplace are uninformed.

When a vulnerability is publicized, Debian usually has a fix out before
Red Hat does; sometimes Red Hat's fix comes out as much as several weeks
later. Also, Debian's installer has less of a tendency to give you all
sorts of vulnerable services most people don't need, so the default
installation is more secure than Red Hat's.

I don't recall ever seeing a Debian machine crash, so I'm not sure how
Debian could possibly less stable than Red Hat.

Craig



msg22049/pgp0.pgp
Description: PGP signature

Re: security question: running a public ftp server

[Henry House]

On Sat, Dec 16, 2000 at 12:09:22AM -0800, Peter Jay Salzman wrote:
> can someone point me to documentation specifically aimed at beefing up
> security of ftp and apache?   everything is behind an LRP (linux router
> project) firewall, so i'm pretty secure otherwise.  i let hardly anything in
> or out, everything gets logged, and i actually look at the logs.  i run tara
> every so often, and i'm very conscious about password security.

I can't suggest any resources besides the respective sets of documentation.
You can pro-actively enhance the security of your FTP daemon by running it
chrooted and under a user id that cannot write to the daemon's directory.
A sucessful exploit in this case will not do much harm.

> however, i'm curious about vulnerabilities in the ftp and www daemons
> themselves.

As varied as the daemons themselves. Most are buffer overflows or failure to
properly check user input. In the case of httpd, carelessly written cgis are
the biggest concern.

-- 
Henry House
OpenPGP key available from http://hajhouse.org/hajhouse.asc


pgpg7MtSZA2lb.pgp
Description: PGP signature

Re: Security Question

[Mario Olimpio de Menezes]

On Sat, 28 Aug 1999, Mark Wagnon wrote:

> 
> The only thing I recognize is tripwire, and that from reading it in
> few posts, but it appears to be available only in rpm format, and as
> source only.

tripwire is available as .deb (section non-free/admin) at least in slink.

[]s,
Mario O.de Menezes"Many are the plans in a man's heart, but
IPEN-CNEN/SP is the Lord's purpose that prevails"
http://curiango.ipen.br/~mario Prov. 19.21

Re: Security Question

[Nathan Duehr]

Check out Abacus PortSentry if you're looking for pretty good portscanning
detection software.  He also does a log scanner and a host protection
scanner.

http://www.psionic.org/

On Sat, 28 Aug 1999, Mark Wagnon wrote:

> Hi all:
> 
> I'm looking at Firewall and Security listing on Freshmeat, but I
> have no idea what I should consider installing to tighten up my box.
> My immediate goal is to not allow anything into or out of my home
> network, unless it happens to be for email/news, ftp to other sites,
> and Internet browsing. 
> 
> I've been lurking in a few lists, and I keep reading about port
> scans, so I'd like to learn more about them, and how to detect/log
> them, etc.
> 
> The only thing I recognize is tripwire, and that from reading it in
> few posts, but it appears to be available only in rpm format, and as
> source only.
> 
> Also, IIRC, I should compile security related software on my machine
> since one isn't to trust a binary from an external source. Is this
> correct?
> 
> I'm off to read the Security HOWTO
> 
> 'nite!
> -- 
>  (   __   _
> Mark Wagnon   ) Debian GNU/ -o) / /  (_)__  __   __
> Chula Vista, CA  (  /\\/ /__/ / _ \/ // /\ \/ /
> [EMAIL PROTECTED] ) www.debian.org _\_v/_/_//_/\_,_/ /_/\_\
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 
> 

+---++
| Nate Duehr - [EMAIL PROTECTED]| Support Amateur Radio & Linux! |
| Private Pilot, Telephony Engineer |  Ham Callsign: N0NTZ   |
| UNIX Hack, Perl Hack, Tech-Freak  |  Grid Square: DM79 |
|   | "May the Source be with you."  |
+---++
| HamRadio and Linux mailing lists available for interested parties: |
|http://www.natetech.com/mailman/listinfo|
++

Re: Security Question

[Andrei Ivanov]

> I've been lurking in a few lists, and I keep reading about port
> scans, so I'd like to learn more about them, and how to detect/log
> them, etc.
> 
> The only thing I recognize is tripwire, and that from reading it in
> few posts, but it appears to be available only in rpm format, and as
> source only.

As far as portscans are concerned, I use portsentry (I had the URL
somewhere..try www.psionic.com)
If you want to portscan your own machine, use nmap or write a simple
portscanner yourself. What a portscanner essentially does is checking a
target host for any ports open (each port corresponds to a certain service
running, like telnetd, ftpd, httpd, echo, etc. Look in /etc/services for
more info.) From there the attacker decides which exploits to use.
So...essential to security is limiting the number of services running. Use
inetd.conf for it.

Tripwire is ok. It's primarily used for routine system check or when you
suspect someone got in, and want to make sure that none of the vital
programs have been changed.
Use alien to convert rpm binary into deb binary, or just compile it
yourself.

Along with portsentry you should firewall your machine (Plannning on
starting on that myself today). Its in the Security HOWTO.

Andrew

---
 Andrei S. Ivanov  
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 UIN 12402354  
 http://scorpio.myip.org<--All the pages bundled together.
---