Looks that way. I guess I mis-interpreted the grsec docs
(and since I don't have a kernel compiled with TPE, I didn't
test it). It seems that it already does what I suggested it
do: not allow mmap with PROT_EXEC under certain conditions.
(You did make sure that this behaviour isn't
Looks that way. I guess I mis-interpreted the grsec docs
(and since I don't have a kernel compiled with TPE, I didn't
test it). It seems that it already does what I suggested it
do: not allow mmap with PROT_EXEC under certain conditions.
(You did make sure that this behaviour isn't
-Original Message-
From: Peter Cordes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 16, 2003 9:35 AM
To: [EMAIL PROTECTED]
Subject: Re: execute permissions in /tmp
On Tue, Jul 15, 2003 at 09:38:45AM +0200, DEFFONTAINES Vincent wrote:
On Sun, Jul 13, 2003 at 11:55:45PM
-Original Message-
From: Peter Cordes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 16, 2003 9:35 AM
To: debian-security@lists.debian.org
Subject: Re: execute permissions in /tmp
On Tue, Jul 15, 2003 at 09:38:45AM +0200, DEFFONTAINES Vincent wrote:
On Sun, Jul 13, 2003
On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote:
If the user can read files in /tmp, they can execute the
code in them.
even if the user is a nobody that owns no files or
directories and grsecurity, selinux or the like prevents
him/her to execute directly code from
On Sun, Jul 13, 2003 at 11:55:45PM -0400, Matt Zimmerman wrote:
If the user can read files in /tmp, they can execute the
code in them.
even if the user is a nobody that owns no files or
directories and grsecurity, selinux or the like prevents
him/her to execute directly code from
While I agree with your observation I feel compelled to
defend his point.
He said mounting /tmp will stop MOST Trojans. While it might
not stop a trojan planted by a person, it will stop a trojan
planted by a worm (which is what this thread is about) since
the author of the worm might
While I agree with your observation I feel compelled to
defend his point.
He said mounting /tmp will stop MOST Trojans. While it might
not stop a trojan planted by a person, it will stop a trojan
planted by a worm (which is what this thread is about) since
the author of the worm might
Have a look at the coroner toolkit from Dan Farmer and Wietse Venema.
Debian packaged : tct
It is advised *not* to turn off your box, maybe you can unplug its
network...
not sure its a good idea even.
http://www.fish.com/tct/help-when-broken-into
Chosen extract :
What to do
---
The
Hello
On a fresh installed Woody, I've a strange Problem: After a
syslogd restart (by hand or logrotate) I lose the kernel
messages. All the ather facilities are well, only kern.* is
missing.
Klogd is reporting the messages to the display as well, but
syslogd doesn't catch them.
Hello
On a fresh installed Woody, I've a strange Problem: After a
syslogd restart (by hand or logrotate) I lose the kernel
messages. All the ather facilities are well, only kern.* is
missing.
Klogd is reporting the messages to the display as well, but
syslogd doesn't catch them.
-Original Message-
From: Josh Carroll [mailto:[EMAIL PROTECTED]
Sent: Friday 21 March 2003 08:46
To: [EMAIL PROTECTED]
Subject: Re: is iptables enough?
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping
-Original Message-
From: Josh Carroll [mailto:[EMAIL PROTECTED]
Sent: Friday 21 March 2003 08:46
To: debian-security@lists.debian.org
Subject: Re: is iptables enough?
There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets
[EMAIL PROTECTED]:~# iptables-save
# Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
*nat
:PREROUTING ACCEPT [17038:1364291]
:POSTROUTING ACCEPT [1561:131055]
:OUTPUT ACCEPT [7155:558179]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT
--to-ports 4
-A
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed
Is it http://www.debian.org/banners/ you are talking about? :-)
-Original Message-
From: Jord Swart [mailto:[EMAIL PROTECTED]]
Sent: Friday 10 January 2003 16:21
To: [EMAIL PROTECTED]
Subject: Re: A new Banner for the new Year
On Friday 10 January 2003 14:49, Daniel J. Rychlik
Is it http://www.debian.org/banners/ you are talking about? :-)
-Original Message-
From: Jord Swart [mailto:[EMAIL PROTECTED]
Sent: Friday 10 January 2003 16:21
To: debian-security@lists.debian.org
Subject: Re: A new Banner for the new Year
On Friday 10 January 2003 14:49,
-Original Message-
From: Josh Carroll [mailto:[EMAIL PROTECTED]]
Sent: Wednesday 8 January 2003 00:30
To: [EMAIL PROTECTED]
Subject: TCP port 6352?
Having failed to find any information about TCP port 6352 via
google or /etc/services, I
figured I'd ask here. I'm seeing an
-Original Message-
From: Josh Carroll [mailto:[EMAIL PROTECTED]
Sent: Wednesday 8 January 2003 00:30
To: debian-security@lists.debian.org
Subject: TCP port 6352?
Having failed to find any information about TCP port 6352 via
google or /etc/services, I
figured I'd ask here.
Hi
I have a host in my DMZ that has both anonymous ftp and pop3
ports open
(this can't be changed). since I really don't trust this setup, I was
thinking about ways to isolate this host so no one who break to this
computer, can access other computers on the DMZ (although other
computers
I personnally used courrier-pop which did good, but never did I compare it
with others.
-Original Message-
From: Ted Roby [mailto:[EMAIL PROTECTED]]
Sent: Friday 6 December 2002 11:51
To: [EMAIL PROTECTED]
Subject: pop mail recommendations
I have setup exim to host my domain's
I personnally used courrier-pop which did good, but never did I compare it
with others.
-Original Message-
From: Ted Roby [mailto:[EMAIL PROTECTED]
Sent: Friday 6 December 2002 11:51
To: debian-security@lists.debian.org
Subject: pop mail recommendations
I have setup exim to
From what you are posting, I cannot deduct you were attacked with accuracy.
It might be a peer to peer badly configured (or written) software, maybe
some network performance auditing tool trying to {ping/tcpping/udpping}
random IPs on the net (yeah, some really do that and attempt an icmp reply
To correctly audit your configuration, I need an output of
/sbin/iptables -L -n -v
The mere /sbin/iptables -L [-n] is not sufficient to me, cause it won't
reveal the per interface filters.
Vincent
-Original Message-
From: Tore Nilsson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday 4
the
firewall works.
-Original Message-
From: Tore Nilsson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday 4 December 2002 15:13
To: DEFFONTAINES Vincent
Cc: [EMAIL PROTECTED]
Subject: Re: IPTables configuration.
Hi!
The machine is a standalone web server. I've been getting
From what you are posting, I cannot deduct you were attacked with accuracy.
It might be a peer to peer badly configured (or written) software, maybe
some network performance auditing tool trying to {ping/tcpping/udpping}
random IPs on the net (yeah, some really do that and attempt an icmp reply
To correctly audit your configuration, I need an output of
/sbin/iptables -L -n -v
The mere /sbin/iptables -L [-n] is not sufficient to me, cause it won't
reveal the per interface filters.
Vincent
-Original Message-
From: Tore Nilsson [mailto:[EMAIL PROTECTED]
Sent: Wednesday 4
the
firewall works.
-Original Message-
From: Tore Nilsson [mailto:[EMAIL PROTECTED]
Sent: Wednesday 4 December 2002 15:13
To: DEFFONTAINES Vincent
Cc: debian-security@lists.debian.org
Subject: Re: IPTables configuration.
Hi!
The machine is a standalone web server. I've been
Message-
From: Tore Nilsson [mailto:[EMAIL PROTECTED]
Sent: Wednesday 4 December 2002 15:19
To: DEFFONTAINES Vincent
Cc: debian-security@lists.debian.org
Subject: Re: IPTables configuration.
Hi!
The machine is a standalone web server. I've been getting a bunch of
portscans and some
From: Haim Ashkenazi [mailto:[EMAIL PROTECTED]]
When making an encrypted file system (AES on both occasion) everything
works great except I can't run binaries (or even shell scripts without
running bash script) that are inside the encrypted file system.
there is no noexec option in fstab,
From: Haim Ashkenazi [mailto:[EMAIL PROTECTED]
When making an encrypted file system (AES on both occasion) everything
works great except I can't run binaries (or even shell scripts without
running bash script) that are inside the encrypted file system.
there is no noexec option in fstab,
Some companies sell products such as this :
http://www.symmetrypro.com/FaB.htm
that any clueless user can install with the help of 3 mouse clicks on their
dektop.
It autodetects proxy settings, creates an HTTP tunnel through corporate
proxy to software editor companyserver, so you can read your
-Original Message-
From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]]
Sent: Tuesday 19 November 2002 15:30
To: DEFFONTAINES Vincent
Cc: [EMAIL PROTECTED]
Subject: Re: Bypassing proxies
On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES Vincent wrote:
Wondering if some
-Original Message-
From: Fadel [mailto:[EMAIL PROTECTED]]
Sent: Tuesday 19 November 2002 16:05
To: [EMAIL PROTECTED]@plutao.siteplanet.com.br
Subject:
Hi there,
I got a trouble in my network while trying to block Kazaa.
I tried to drop port 1214 with this rule:
iptables
Wondering if some people know of some content-aware
proxies/filters, to
attempt to block [some of] those dangerous products (apart
from maintaining
a black-list...)
Since the traffic is encrypted, content filtering
will not trigger.
Thats true for HTTPS, not HTTP.
And still,
Some companies sell products such as this :
http://www.symmetrypro.com/FaB.htm
that any clueless user can install with the help of 3 mouse clicks on their
dektop.
It autodetects proxy settings, creates an HTTP tunnel through corporate
proxy to software editor companyserver, so you can read your
-Original Message-
From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]
Sent: Tuesday 19 November 2002 15:30
To: DEFFONTAINES Vincent
Cc: debian-security@lists.debian.org
Subject: Re: Bypassing proxies
On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES Vincent wrote
-Original Message-
From: Fadel [mailto:[EMAIL PROTECTED]
Sent: Tuesday 19 November 2002 16:05
To: debian-security@lists.debian.org@plutao.siteplanet.com.br
Subject:
Hi there,
I got a trouble in my network while trying to block Kazaa.
I tried to drop port 1214 with this
Wondering if some people know of some content-aware
proxies/filters, to
attempt to block [some of] those dangerous products (apart
from maintaining
a black-list...)
Since the traffic is encrypted, content filtering
will not trigger.
Thats true for HTTPS, not HTTP.
And still,
Did you check the Secure-Programs-Howto ?
It is a very good document
http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/index.html
Hope this helps
Vincent
-Original Message-
From: Peter Ondraska [mailto:ondraska;dcs.fmph.uniba.sk]
Sent: Tuesday 12 November 2002 14:48
To: [EMAIL
-Original Message-
From: Jan Eringa [mailto:jan.eringa;orbian.com]
Sent: Tuesday 12 November 2002 15:11
To: DEFFONTAINES Vincent
Subject: Re: errorlists
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
www.phrack.org is also a good place for in depth discussions
Did you check the Secure-Programs-Howto ?
It is a very good document
http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/index.html
Hope this helps
Vincent
-Original Message-
From: Peter Ondraska [mailto:[EMAIL PROTECTED]
Sent: Tuesday 12 November 2002 14:48
To:
-Original Message-
From: Jan Eringa [mailto:[EMAIL PROTECTED]
Sent: Tuesday 12 November 2002 15:11
To: DEFFONTAINES Vincent
Subject: Re: errorlists
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
www.phrack.org is also a good place for in depth discussions on these
Phrak #50
Greetings,
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers, due to certificate not matching
most of the sites names. But
Greetings,
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers, due to certificate not matching
most of the sites names. But
As mentionned before in this thread, you definetely can specify junbkbuster
it should listen only on one address (ie 127.0.0.1, or whichever).
On privoxy (which is an evolution of junkbuster, but present only in sid
(?)) I have this in /etc/privoxy/config :
listen-address 127.0.0.1:8118
I can't
Many of these user accounts will no doubt be sending and
receiving email
from dial-up accounts, which limits the ability to deny service on a
per-IP basis. Suggestions for security, with pointers, please? I
already plan on SSL, I'm asking I guess more about open relay
issues in
this
It seems to me, you need not only the patch-int , but also the loop patch,
which can be found at
ftp://ftp.kernel.org/pub/linux/crypto/v2.4/testing/loop-hvr-2.4.18.0.patch
You have to use it else the cryptoloop compile part fails.
Why the loop patch is not included in the patch-int patch, I do not
49 matches
Mail list logo