nerability
that can cause a system compromise in a popular package.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they
nerability
that can cause a system compromise in a popular package.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ites, why not
read the fine manual: http://httpd.apache.org/docs/logs.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
-Frank Zappa
ites, why not
read the fine manual: http://httpd.apache.org/docs/logs.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
-Frank Zappa
date string could be used only
> for file creation after apache process receives SIGUSR1.
Grab the cronolog package, its easier and less intrusive.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we kn
date string could be used only
> for file creation after apache process receives SIGUSR1.
Grab the cronolog package, its easier and less intrusive.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we kn
t finding
those high ports... But, just pushing the port numbers down below 1024
won't solve anything. You're much better off filtering traffic to
those ports with ipfilter and backing that up with a good tcp_wrappers
configuration.
--
Jamie Heilman http://audible.t
ned by
the portmapper.
> and the second is about the apache sever, how can i disable http
> trace ? thanks..
use google
http://www.apacheweek.com/issues/03-01-24
Neither of these provide any additional security, why exactly do you
think they are necessary?
--
J
Phillip Hofmeister wrote:
> The same information can be gathered from your MTA (if you are
> running one) by doing an RCPT TO: and then an RSET.
This is not universally true and is generally a matter of how the MTA
is configured.
--
Jamie Heilman http://audible.transie
Litzler Mihaly wrote:
> How do you think switching a separate VLAN for this would be also secure
> enough? Is it a must to use a dedicated device?
Switching is done for speed, not security.
ell, which I guess
earns it a bonus point.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy
Emmanuel Lacour wrote:
> Is there someone having information about this web vulnerability, goals
> and risks and how to disable it?
google
There's plenty of discussion out there on why this "vulnerability"
isn't.
--
Jamie Heilman http://audible.trans
Emmanuel Lacour wrote:
> Is there someone having information about this web vulnerability, goals
> and risks and how to disable it?
google
There's plenty of discussion out there on why this "vulnerability"
isn't.
--
Jamie Heilman http://audible.trans
ram in exim ??
Maybe, or maybe the proper flags simply aren't being passed to your
local injection program to tell it to abide by the behavior you
expect.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, &quo
ram in exim ??
Maybe, or maybe the proper flags simply aren't being passed to your
local injection program to tell it to abide by the behavior you
expect.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, &quo
hose of you who tend and
nurture your myopic little hatred of djb like its some kind of 100
year old bonsai), etc. And they don't crash every few days for no
reason.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and n
hose of you who tend and
nurture your myopic little hatred of djb like its some kind of 100
year old bonsai), etc. And they don't crash every few days for no
reason.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and n
best
tool for the job. (IMO, NIS is almost never the best tool in
homogenous linux environments.)
--
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
-Frank Zappa
best
tool for the job. (IMO, NIS is almost never the best tool in
homogenous linux environments.)
--
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
my script (which I wrote a long time ago and don't have
anymore). Anyway, you get the idea.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Bui
my script (which I wrote a long time ago and don't have
anymore). Anyway, you get the idea.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Bui
nothing in apache (1.3 anyway) will service
those by default. Otherwise, yeah, Limit and LimitExcept are the
directives you're interested in.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly,
nothing in apache (1.3 anyway) will service
those by default. Otherwise, yeah, Limit and LimitExcept are the
directives you're interested in.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly,
meone please
> confirm that?
Yeah, that sounds like BIND.
http://cr.yp.to/djbdns/forgery.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's
not for you." She was cheap, she was stu
meone please
> confirm that?
Yeah, that sounds like BIND.
http://cr.yp.to/djbdns/forgery.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's
not for you." She was cheap, she was stu
ists already deployed.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
-Sathington Willoughby
ists already deployed.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
-Sathington
Jamie Heilman wrote:
> > [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed:
> > erroneous characters after protocol string: CONNECT
> > mailb.microsoft.com:25 / HTTP/1.0
>
> open proxy probe, standard Internet crapola,
> http://www.monkeys.com/se
> [Sat Aug 31 21:03:49 2002] [error] [client 64.152.12.2] request failed:
> erroneous characters after protocol string: CONNECT
> mailb.microsoft.com:25 / HTTP/1.0
open proxy probe, standard Internet crapola,
http://www.monkeys.com/security/proxies/
robably, to the lack
of cohesion behind the various movements. But as I mentioned before,
you'll probably want to examine subdomain from Wirex, SELinux, maybe
LIDS, RSBAC, and doubtless there are others, but I'd start with those.
--
Jamie Heilman http://audible.tr
Joe Moore wrote:
> Jamie Heilman wrote:
> > Joe Moore wrote:
> >> As to your later message:
> >> setgroups() and initgroups() are not necessary. Already UID telnetd
> >> is able to write to /var/run/utmp because of its membership in GID
> >> utmp.
&g
stem isn't that broken, stop trying
to fix it. There is no legitimate reason to jump through all these
hoops just to hide your tcp wrappers configuration from your local
users. If the requirements for your host dictate minimal access
rights use an access control system thats been designed t
is increased infrastructure.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
-Sathington Willoughby
fundamental
vulnerability to compromise at all (by which I mean if the services
you run and the configurations you run them with actually have
exploitable bugs in them or not), but hey, at least your users won't be
able to read those files. And thats, um, something.
--
Jamie Heilman
d
> hosts.allow ... ?
Obscuring your libwrap/tcpd configuration from your local users, at
the expense of allowing services to run as seperate, non-privileged
users is a bad idea. Privilege seperation provides a very tangible
benefit, obfuscated config files do not.
--
Jamie Heilman
Christian Hammers wrote:
> On Sat, Jun 22, 2002 at 11:50:10PM -0700, Jamie Heilman wrote:
> > its not just mod_proxy, apache was vulnerable regardless
> BTW: in the case that mod_proxy is not loaded: is it enough to just
> backport the get_chunk_size function from http_protocol
> Can someone clarify for me, please (not directly debian related, I know,
> but...) - the patches appear to only be to the chunk-encoding functions
> in mod_proxy. If mod_proxy isn't loaded, is apache still vulnerable?
its not just mod_proxy, apache was vulnerable regardless
--
is your baby now, you wanna close that old
bug out? Ben never did and its pretty much moot now as that bad
package never made it into primetime.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we know the words
can I circumvent this problem?
apt-get install equivs
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
can I circumvent this problem?
apt-get install equivs
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
[EMAIL PROTECTED] wrote:
> now i have tried postfix and exim and i like both.
> But wich is more secure? any body some knowledge about that?
postfix has a better, more security concious, design
[EMAIL PROTECTED] wrote:
> now i have tried postfix and exim and i like both.
> But wich is more secure? any body some knowledge about that?
postfix has a better, more security concious, design
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [E
e didn't use your root account, he used the nature of SMTP to trick
you. http://rfc821.x42.com/ And no, you can't block telnet, unless
you choose to not run a mail server at all.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto
.
He didn't use your root account, he used the nature of SMTP to trick
you. http://rfc821.x42.com/ And no, you can't block telnet, unless
you choose to not run a mail server at all.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto
Micah Anderson wrote:
> Got what appears to be a "crc32 compensation attack in my logs today,
> about 10 minutes worth of these types of messages should I be
> worried? Should I laugh at this feable attempt to break in? Should I
> gnaw my fingernails with my shotgun on my lap?
heh, http://www
Micah Anderson wrote:
> Got what appears to be a "crc32 compensation attack in my logs today,
> about 10 minutes worth of these types of messages should I be
> worried? Should I laugh at this feable attempt to break in? Should I
> gnaw my fingernails with my shotgun on my lap?
heh, http://ww
Jason Thomas wrote:
> maybe ask the maintainer of the package to change it to something
> meaningful!
better yet, uninstall the package and boycott stupid behavior
--
Jamie Heilman http://audible.transient.net/~jamie/
"It's almost impossible to overestimate
Jason Thomas wrote:
> maybe ask the maintainer of the package to change it to something
> meaningful!
better yet, uninstall the package and boycott stupid behavior
--
Jamie Heilman http://audible.transient.net/~jamie/
"It's almost impossible to overestimate
Dmitriy wrote:
> How can I change this?
man snort, note -s option
man syslog.conf
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion's mouth and flicking his lovespuds wit
Dmitriy wrote:
> How can I change this?
man snort, note -s option
man syslog.conf
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion's mouth and flicking his lovespuds wit
ich can bring more
things to light.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way way without saying squat and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy
ich can bring more
things to light.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way way without saying squat and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren
The Big Lebowski)
> > > 2. author write like "alle shit then my"
> >
> > Uh, sure.
>
> Whatever the quote means, I don't need *another* DJB-war barely a fortnight
> after the last one.
Aww, but they contain the same addictive chemical found in t
seen The Big Lebowski)
> > > 2. author write like "alle shit then my"
> >
> > Uh, sure.
>
> Whatever the quote means, I don't need *another* DJB-war barely a fortnight
> after the last one.
Aww, but they contain the same addictive chemical found in t
rds over 512 bytes that
will require tcp transport or not, or if you need to allow zone transfers
to outside parties, so the question of if you need to allow 53/tcp is
already decided, all you have to do is recognise that fact.
--
Jamie Heilman http://audible.transient.net/~jamie
records over 512 bytes that
will require tcp transport or not, or if you need to allow zone transfers
to outside parties, so the question of if you need to allow 53/tcp is
already decided, all you have to do is recognise that fact.
--
Jamie Heilman http://audible.transient.net/~ja
ur network further
at all.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way way without saying squat and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy
en up your network further
at all.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way way without saying squat and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you wer
say there is no good reason *period* as
I've been running several machines without a working inetd for a year or so
now, simply don't have the need for it on most workstations in my situation.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way
say there is no good reason *period* as
I've been running several machines without a working inetd for a year or so
now, simply don't have the need for it on most workstations in my situation.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way
rve
large queries, otherwise, you don't need it
dnscache uses port 53 both tcp and udp - its the caching resolver
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she
till evangelize binary
distro's and linux.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's
not for you." She was cheap, she was stupid and she wouldn't load
-- well, not for me, anyway." -Holly
rve
large queries, otherwise, you don't need it
dnscache uses port 53 both tcp and udp - its the caching resolver
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she
only unstable box
actually needed inetd, and was only accessible from an internal network so
I wasn't worried about inetd's underlying flaws wrt DoSability and lack of
concurency limiting. If you use inetd on untrusted interface you are
asking for pain, I thought that was fairly well un
only unstable box
actually needed inetd, and was only accessible from an internal network so
I wasn't worried about inetd's underlying flaws wrt DoSability and lack of
concurency limiting. If you use inetd on untrusted interface you are
asking for pain, I thought that was fairly well un
dns enter unstable a few days ago and you can always snag djbdns from
http://cr.yp.to/djbdns.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way way without saying squat and now you're trying
to tell me a '56 Chevy can beat a '47
w
maradns enter unstable a few days ago and you can always snag djbdns from
http://cr.yp.to/djbdns.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way way without saying squat and now you're trying
to tell me a '56 Chevy can beat a
t; Any solution??
>
> Resource limits on the ftp server process?
Or a DenyFilter of \*.*/ as is recommended on the proftpd.org web site.
http://www.proftpd.org/critbugs.html
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalen
rflow bug fixed
* getttext NLSPATH security bug fixed.
* spool_file_perms security bug fixed.
* Added setuid Linux bug work-around.
-- Craig Small <> Sun, 15 Oct 2000 15:42:02 -0500
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an in
rflow bug fixed
* getttext NLSPATH security bug fixed.
* spool_file_perms security bug fixed.
* Added setuid Linux bug work-around.
-- Craig Small <> Sun, 15 Oct 2000 15:42:02 -0500
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an in
to /myphatmp3archive/ then
don't log it. Even then you're probably screwed as your upstream could
conceivably log the activity. If, on the other hand, you just want to
display your log files to the world sans the detailed connection
information, just post-process them and
to /myphatmp3archive/ then
don't log it. Even then you're probably screwed as your upstream could
conceivably log the activity. If, on the other hand, you just want to
display your log files to the world sans the detailed connection
information, just post-process them and
x27;m all for it,
especially if somebody else can figure out how to make logger that does
reliable and perhaps secure network transport.
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion
ke to see is a facility logger that could collect logs
like traditional syslog but then would let me hand them to something like
multilog to be stored on disk.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we kno
x27;m all for it,
especially if somebody else can figure out how to make logger that does
reliable and perhaps secure network transport.
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion
ke to see is a facility logger that could collect logs
like traditional syslog but then would let me hand them to something like
multilog to be stored on disk.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we kno
ocol works over TCP however, so if you're acting
as a master you may have to open the tcp port to your slaves. Ofcourse if
you're running BIND and you're concerned about security ...
There are better servers than BIND and there are better ways to transfer
zone information.
--
ocol works over TCP however, so if you're acting
as a master you may have to open the tcp port to your slaves. Ofcourse if
you're running BIND and you're concerned about security ...
There are better servers than BIND and there are better ways to transfer
zone information.
--
subject of securing NTP, has anyone gotten the autokey stuff to work
the version of ntpd in stable?
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion's mouth and flicking his lovesp
the subject of securing NTP, has anyone gotten the autokey stuff to work
the version of ntpd in stable?
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion's mouth and flicking his love
ata transfer over TCP
but its not generally needed during normal operation. At any rate, it
couldn't be done without modifiing the code, and finding somebody else to
peer with who also had a modified server.
--
Jamie Heilman http://audible.transient.net/~jamie/
&quo
ata transfer over TCP
but its not generally needed during normal operation. At any rate, it
couldn't be done without modifiing the code, and finding somebody else to
peer with who also had a modified server.
--
Jamie Heilman http://audible.transient.net/~jamie/
&quo
use tcp instead of udp ?
No, UDP is intrinsic to how NTP works.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear t
use tcp instead of udp ?
No, UDP is intrinsic to how NTP works.
--
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear t
Rishi L Khan wrote:
> Maybe use tcp wrappers? That's how I'd do it.
Nope, ntpd doesn't link against libwrap and can't be run out of inetd.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said,
Rishi L Khan wrote:
> Maybe use tcp wrappers? That's how I'd do it.
Nope, ntpd doesn't link against libwrap and can't be run out of inetd.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said,
evel, which is unfortunate. You can at
the protocol level however. Get the NTP documentation and read about the
authentication options and the access control options. To control access
at the transport level you will have to use firewalling rules.
--
Jamie Heilman http://audible
evel, which is unfortunate. You can at
the protocol level however. Get the NTP documentation and read about the
authentication options and the access control options. To control access
at the transport level you will have to use firewalling rules.
--
Jamie Heilman http://audible
pening. It might be spam, it might
be a misconfiguration on their end.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we know the words
for it, before we know there are words, out we come bloodied and squ
pening. It might be spam, it might
be a misconfiguration on their end.
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born with an intuition of mortality. Before we know the words
for it, before we know there are words, out we come bloodied and squ
s pretty picky
about those things, where unix clients aren't. For example a good CVSROOT
is :ext:mycvsserver:/mycvs/root/path where as a bad one which will almost
certainly make wincvs choke (these get stored in the CVS control files
remember) is [EMAIL PROTECTED]:/mycvs/root/path.
--
Jamie He
s pretty picky
about those things, where unix clients aren't. For example a good CVSROOT
is :ext:mycvsserver:/mycvs/root/path where as a bad one which will almost
certainly make wincvs choke (these get stored in the CVS control files
remember) is user@mycvsserver:/mycvs/root/path.
--
Jamie He
han Redhat is no more secure than Solaris is no more secure
than OpenBSD. We could make a lot of vague generalizations about default
setup and what-not but its really just a waste of time. If you don't want
to be hacked, learn how to prevent it.
--
Jamie Heilman http://aud
e than Redhat is no more secure than Solaris is no more secure
than OpenBSD. We could make a lot of vague generalizations about default
setup and what-not but its really just a waste of time. If you don't want
to be hacked, learn how to prevent it.
--
Jamie Heilman
> Well, I can't tell you how to change the 'from' entry in your MTA.
man qmail-inject
at any rate none of this is security related
-jamie
> Well, I can't tell you how to change the 'from' entry in your MTA.
man qmail-inject
at any rate none of this is security related
-jamie
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
IL PROTECTED]
(/dev/pts/4) at 13:21 ...
hrmmm
polyphony:~#
I have no idea if this has further reaching consequences, but ldd didn't
used to actually execute the programs you ran it on. This seems to only
affect sgid applications.
--
Jamie Heilman http://audible.
@polyphony
(/dev/pts/4) at 13:21 ...
hrmmm
polyphony:~#
I have no idea if this has further reaching consequences, but ldd didn't
used to actually execute the programs you ran it on. This seems to only
affect sgid applications.
--
Jamie Heilman http://audible.tra
1 - 100 of 112 matches
Mail list logo