On Wed, Aug 08, 2001 at 12:08:22AM -0700, Petro wrote:
Are you talking about named.conf, or the master db files?
First thing that came to my mind was /etc/resolv.conf, in the case that
he just wanted to configure the name servers for his box.
But, who knows. :-\
On Fri, Aug 03, 2001 at 01:56:26PM -0400, Andrew Lattis wrote:
1. Check the openssh man page for AllowGroups and AllowUsers, both allow you to
specify users that are allowed to login, everyone else is denied.
You can also disable access with PAM, using the sshd pam control file.
Just use
On Fri, Aug 03, 2001 at 01:56:26PM -0400, Andrew Lattis wrote:
1. Check the openssh man page for AllowGroups and AllowUsers, both allow you
to
specify users that are allowed to login, everyone else is denied.
You can also disable access with PAM, using the sshd pam control file.
Just use
On Fri, Aug 03, 2001 at 08:09:25PM +, Jim Breton wrote:
You can also disable access with PAM, using the sshd pam control file.
Just use pam_deny.so to deny authentication.
/me pops foot out of mouth
When I wrote that I was not considering your previous statement of
needing to still
On Mon, Jul 30, 2001 at 01:54:03PM -0700, Stephen Hassard wrote:
I was just playing around securing one of my Exchange boxes, and found that
coupling Stunnel (http://www.stunnel.org/) with your favourite mail server
works really well (not that Exchange is my pick for a secure mail server)
On Mon, Jul 30, 2001 at 12:47:46PM -0600, Moe Harley wrote:
I'm more worried about people seeing
my pop3 service as a potential door into my network.
See my first reply to you
On Mon, Jul 30, 2001 at 01:54:03PM -0700, Stephen Hassard wrote:
I was just playing around securing one of my Exchange boxes, and found that
coupling Stunnel (http://www.stunnel.org/) with your favourite mail server
works really well (not that Exchange is my pick for a secure mail server)
On Sun, Jul 29, 2001 at 02:13:17PM -0600, Moe Harley wrote:
Thought i'd ask what the general opinion is on the most secure pop3 daemon.
Here is one decent one:
http://www.openwall.com/popa3d/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
On Fri, Jul 20, 2001 at 09:31:07PM -0700, Jeff Coppock wrote:
# modprobe ip_tables
modprobe: Can't locate module ip_tables
But, it's definitely there. I can't figure out how to fix
this. Any help is very much appreciated.
Your version of modutils's 'modprobe' doesn't look
On Fri, Jul 20, 2001 at 12:37:49PM -0700, Jeff Coppock wrote:
Do I need to dist-upgrade to woody to use iptables?
Nope.
http://netfilter.samba.org
Compiles very easily from source. HTH.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
On Fri, Jul 20, 2001 at 09:31:07PM -0700, Jeff Coppock wrote:
# modprobe ip_tables
modprobe: Can't locate module ip_tables
But, it's definitely there. I can't figure out how to fix
this. Any help is very much appreciated.
Your version of modutils's 'modprobe' doesn't look
On Fri, Jul 20, 2001 at 12:37:49PM -0700, Jeff Coppock wrote:
Do I need to dist-upgrade to woody to use iptables?
Nope.
http://netfilter.samba.org
Compiles very easily from source. HTH.
On Sat, Jul 07, 2001 at 01:56:56AM -0800, Ethan Benson wrote:
which may not work if you always type the
full path to /bin/su anyway.
Hoping he doesn't:
alias /bin/su='/var/tmp/hax0rSu'
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL
On Sat, Jul 07, 2001 at 03:16:39AM -0800, Ethan Benson wrote:
alias /bin/su='/var/tmp/hax0rSu'
i would consider this a bug in the shell.
I disagree; from the Bash man page:
The alias name and the replacement text may con-
tain any valid shell input, including the
On Sat, Jul 07, 2001 at 01:56:56AM -0800, Ethan Benson wrote:
which may not work if you always type the
full path to /bin/su anyway.
Hoping he doesn't:
alias /bin/su='/var/tmp/hax0rSu'
On Sat, Jul 07, 2001 at 03:16:39AM -0800, Ethan Benson wrote:
alias /bin/su='/var/tmp/hax0rSu'
i would consider this a bug in the shell.
I disagree; from the Bash man page:
The alias name and the replacement text may con-
tain any valid shell input, including the
On Sun, Jun 17, 2001 at 02:44:48AM -0800, Ethan Benson wrote:
compiling without module support would be mostly the same as just
lcap CAP_SYS_MODULE
Fwiw, I have heard (though not tested myself) that even if you compile
your kernel _without_ loadable module support, you will still be able
On Wed, Jun 13, 2001 at 10:48:22AM +0200, Craig wrote:
Now what i need to know, is woody stable enough for a proxy/firewall machine
I do not know the answer to this as I haven't really used woody yet.
But, the stuff you need to make it work smoothly on a potato box can be
found starting from
On Wed, Jun 13, 2001 at 10:48:22AM +0200, Craig wrote:
Now what i need to know, is woody stable enough for a proxy/firewall machine
I do not know the answer to this as I haven't really used woody yet.
But, the stuff you need to make it work smoothly on a potato box can be
found starting from
On Thu, Jun 07, 2001 at 06:57:18PM -0300, Pedro Zorzenon Neto wrote:
$ locate private | grep /home/pzn/private
the whole contents of my private dir suddenly appears here...
Did you run updatedb as root anytime recently?
Notice that by default, this command is run (from cron) as user
On Thu, Jun 07, 2001 at 06:57:18PM -0300, Pedro Zorzenon Neto wrote:
$ locate private | grep /home/pzn/private
the whole contents of my private dir suddenly appears here...
Did you run updatedb as root anytime recently?
Notice that by default, this command is run (from cron) as user
On Sun, Jun 03, 2001 at 07:44:00AM +, Adam Olsen wrote:
So here I was playing around with some stuff in Quakeforge, and I see
a FISH swim across my root windows. Not surprisingly, my first
thought was HUH?! Second was probably WTF...
http://marc.theaimsgroup.com/?t=9905757464w=2r=1
On Sun, Jun 03, 2001 at 07:44:00AM +, Adam Olsen wrote:
So here I was playing around with some stuff in Quakeforge, and I see
a FISH swim across my root windows. Not surprisingly, my first
thought was HUH?! Second was probably WTF...
http://marc.theaimsgroup.com/?t=9905757464w=2r=1
On Sat, May 26, 2001 at 11:34:00PM +0200, Tomasz Olszewski wrote:
just modified /usr/X11R6/bin/startx but wat id someone launches plain
xinit?
On Tue, May 29, 2001 at 01:50:10PM +0200, Tomasz Olszewski wrote:
I was thinking about it but I thought there may be a more civilized
way ;) However
On Fri, Jun 01, 2001 at 10:25:24PM +0200, Tomasz Olszewski wrote:
OK, I mentioned both startx and xinit but when I was talking about
ignoring the global xinitrc I reffered to xinit (because startx was
already not a problem).
Oh ok.
P.S. if you do modify the startx script it will be
On Tue, May 29, 2001 at 11:54:29PM -0800, Ethan Benson wrote:
trouble is when your dealing with corrupt/fascist/evil
government/regimes encryption isn't going to do you much good, either
they will throw you in prison for refusing to disclose the decryption
key or worse they will use methods
On Tue, May 29, 2001 at 11:54:29PM -0800, Ethan Benson wrote:
trouble is when your dealing with corrupt/fascist/evil
government/regimes encryption isn't going to do you much good, either
they will throw you in prison for refusing to disclose the decryption
key or worse they will use methods
On Mon, May 28, 2001 at 01:46:07PM +0200, Tomasz Olszewski wrote:
If an user
creates his own $HOME/.xserverrc, it overrides the system wide
xserverrc.
So make /usr/bin/X11/X a wrapper for the real X.
Problem with this is, if you upgrade or re-install the package
containing it, it will get
On Mon, May 28, 2001 at 11:09:29PM -0400, S. Kraig wrote:
the 'international kernel' and after enabling that form of encryption...
so where do I start in doing this?
http://www.kerneli.org/
On Sun, May 27, 2001 at 02:13:13PM +0200, Tomasz Olszewski wrote:
manual) this is not exactly what I was looking for but I think I'll try
Yep... actually this _is_ the correct way to deal with this.
I created this file with the following contents:
#!/bin/sh
exec /usr/bin/X11/X -nolisten tcp $@
On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote:
the last two i understand, as well as domain, but sunrpc and 1171?
man fuser. Look for the -n option.
i've cleaned up everything i can think of, but X11R6 says it still needs the
RPC packages.
Why does/would X11 require RPC?
On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote:
I know that UNIX does it so that normal users can't seem like legit and
important services, but there surely must be some better way of delegating a
port below 1024 to a deamon.
Well, at least on Linux, and with the right set of
On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote:
I know that UNIX does it so that normal users can't seem like legit and
important services, but there surely must be some better way of delegating a
port below 1024 to a deamon.
Well, at least on Linux, and with the right set of
On Wed, Apr 11, 2001 at 10:10:38PM -0700, Jamie Heilman wrote:
Dan Bernstein's multilog program is the only logger I've seen that offers
various reliability guarentees and actually delivers on them, but it has
some prerequisites for usage that can frequently be difficult to meet.
What I'd
On Wed, Apr 11, 2001 at 10:10:38PM -0700, Jamie Heilman wrote:
Dan Bernstein's multilog program is the only logger I've seen that offers
various reliability guarentees and actually delivers on them, but it has
some prerequisites for usage that can frequently be difficult to meet.
What I'd
On Thu, Apr 12, 2001 at 12:38:10AM +, Adam Olsen wrote:
So my question: how do I set this up properly?
Not with sudo. ;)
chgrp adm /var/log/syslog # change group of file to adm
adduser (yourself) adm # put yourself into group adm
logout
log in again
:bam:
;D
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
RFC compliancy isn't enough? IMHO should be.
Someone else has already responded to this; but no, RFC compliance
doesn't necessarily tell us the best thing to do for every situation.
Take syn cookies for example.
A decent policy
On Tue, Apr 10, 2001 at 12:13:52PM +0200, Vaclav Hula wrote:
RFC compliancy isn't enough? IMHO should be.
Someone else has already responded to this; but no, RFC compliance
doesn't necessarily tell us the best thing to do for every situation.
Take syn cookies for example.
A decent policy is
On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote:
Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
Do you sleep better at night knowing that your machine won't respond to
pings? It really doesn't make you any safer.
What are you gaining by responding
On Mon, Apr 09, 2001 at 01:42:25AM +0200, Robert Magier wrote:
I have seen this since I installed 2.4.0 kernel and iptables.
http://netfilter.samba.org/netfilter-faq-3.html#ss3.1
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL
On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
Is there any reason for eth0 to be showing PROMISC all the time or is this
Some apps put the card into promisc mode and do not turn off promisc
when you exit.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
On Fri, Mar 16, 2001 at 10:27:23PM -0600, JonesMB wrote:
Is there any reason for eth0 to be showing PROMISC all the time or is this
Some apps put the card into promisc mode and do not turn off promisc
when you exit.
On Mon, Mar 12, 2001 at 06:58:07PM -0400, Peter Cordes wrote:
On Mon, Mar 12, 2001 at 06:36:25PM +, Jim Breton wrote:
It does do what you describe; however the original question is about
evil packet _destinations_ and not evil packet _sources._
No, I just checked linux/Documentation
On Sat, Mar 10, 2001 at 10:22:48AM -0600, Ted Cabeen wrote:
if (BADCLASS(daddr) || ZERONET(daddr) || LOOPBACK(daddr))
goto martian_destination;
This is part of the routing check for incoming packets. It should take
care of the problem being discussed. :)
(I
On Fri, Mar 09, 2001 at 08:49:54PM +, Jim Breton wrote:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over a non-'lo' interface
Oops. Just occurred to me that this is not what you were asking about.
Why do I do such things?
Anyway.
/etc/ipmasq/rules
On Fri, Mar 09, 2001 at 08:47:41AM -0400, Peter Cordes wrote:
Yes. It uses rp_filter (this is controlled in /proc/sys/... Read
Also by:
/etc/ipmasq/rules/I15lospoof.def
if you have the ipmasq package installed:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over
On Fri, Mar 09, 2001 at 08:49:54PM +, Jim Breton wrote:
# deny and log all packets trying to come in from a 127.0.0.0/8 address
# over a non-'lo' interface
Oops. Just occurred to me that this is not what you were asking about.
Why do I do such things?
Anyway.
/etc/ipmasq/rules
On Mon, Mar 05, 2001 at 10:48:23AM -0500, K 0 wrote:
i un tarred-gziiped it and saw no installation instructions nor configure
scripts ... a straight make does work too.
Sounds like you got the wrong tarball.
Did you get it from this page?
http://www.openssh.com/portable.html
--
To
On Mon, Mar 05, 2001 at 10:48:23AM -0500, K 0 wrote:
i un tarred-gziiped it and saw no installation instructions nor configure
scripts ... a straight make does work too.
Sounds like you got the wrong tarball.
Did you get it from this page?
http://www.openssh.com/portable.html
On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote:
[-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399
gpg: Good signature from "Marco Ghidinelli [EMAIL PROTECTED]"
gpg: WARNING: This
On Sat, Feb 10, 2001 at 07:54:49PM +0100, Carel Fellinger wrote:
[-- PGP output follows (current time: Sat Feb 10 19:40:06 2001) --]
gpg: Signature made Sat 10 Feb 2001 06:11:01 PM CET using DSA key ID EBF15399
gpg: Good signature from Marco Ghidinelli [EMAIL PROTECTED]
gpg: WARNING: This key
On Mon, Feb 12, 2001 at 03:14:23PM +0100, Thomas Gebhardt wrote:
A quick test with OpenSSH 2.3 + sftp 0.9.5 and SSH 2.1 Windows
Client did not succeed.
I had similar failures with scp, sftp, and gftp using the OpenSSH-2.3.0
server. IIRC my server logs had something like ... we do not read...
On Sat, Feb 03, 2001 at 12:38:47PM -0700, Troy Telford wrote:
I would like to use the state-tracking for IRC, but simply having the
--state established,related (and new... but I don't think that's
necessary) --sport irc(d) options doesn't seem to do anything...
Correct, NEW is not
On Sat, Feb 03, 2001 at 12:38:47PM -0700, Troy Telford wrote:
I would like to use the state-tracking for IRC, but simply having the
--state established,related (and new... but I don't think that's
necessary) --sport irc(d) options doesn't seem to do anything...
Correct, "NEW" is not
On Fri, Feb 02, 2001 at 07:08:57PM +0100, Philippe BARNETCHE wrote:
I still don't understand how to handle with mutt the mails that have been pgp signed
with kmail.
Are you talking about verifying signatures?
I usually just pipe mine through gpg --verify...
| gpg --verify
Works for me.
On Fri, Feb 02, 2001 at 07:08:57PM +0100, Philippe BARNETCHE wrote:
I still don't understand how to handle with mutt the mails that have been pgp
signed with kmail.
Are you talking about verifying signatures?
I usually just pipe mine through gpg --verify...
| gpg --verify
Works for me.
On Wed, Dec 13, 2000 at 11:11:52AM +0100, Javier Fernandez-Sanguino Pe?a wrote:
*Please* post it. It could be really useful for documents like the
Securing-Debian-HOWTO, I have my own checklist and will update the HOWTO with
it
soon.
So, for all of you.. new thread? :
On Mon, Dec 11, 2000 at 04:26:45PM -0300, Eduardo Gargiulo wrote:
I'm new using mutt.
I want to send my messeges clear signed, but I can't.
I'm using gnupg, and I put in my .muttrc
set pgp_sign_command="gpg --clearsign"
but the signature is attached in binary format. How can I sign my
On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
I was wondering, in my thought ramblings, if there was a easy way to
replace ALL binaries that are in a installed package with their
(hoprfully) original states. i.e. If a machine was to fall victim to
a rootkit
On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
I was wondering, in my thought ramblings, if there was a easy way to
replace ALL binaries that are in a installed package with their
(hoprfully) original states. i.e. If a machine was to fall victim to
a
Is there someplace on debian.org from which I can get a file or files
containing the md5sums of all the packages? Not the packages' contents,
but the packages themselves.
I have some ISOs I got from another site (linuxiso.org) and I would like
to confirm the sums of all the packages before I
Is there someplace on debian.org from which I can get a file or files
containing the md5sums of all the packages? Not the packages' contents,
but the packages themselves.
I have some ISOs I got from another site (linuxiso.org) and I would like
to confirm the sums of all the packages before I use
On Sun, Oct 29, 2000 at 03:52:40PM +, sena wrote:
Why not check the sums of the ISOs? I'm sure the site where you downloaded
them must have the md5sums for the ISOs...
Yes they do, and I have checked them. But this is putting an additional
layer of trust into whoever created the ISO.
On Mon, Sep 18, 2000 at 09:18:05PM -0300, Henrique M Holschuh wrote:
Yeah, those do solve the worst problem with OPIE. There's nothing wrong with
OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the
original poster was talking about OPIE...
Using OPIE doesn't mean you
On Wed, Sep 06, 2000 at 10:22:44PM +0200, Wouter Hanegraaff wrote:
I have some files that I would like to store encrypted. Of course I can
See also PPDD:
http://linux01.gwdg.de/~alatham/ppdd.html
On Fri, Sep 01, 2000 at 02:39:04PM -0400, Wesley A. Wannemacher wrote:
I have a Linux machine that has been recently
rooted. I have found many strange things on the
Why is there an extra '..'? There was also a
Most likely one of them is really named .. or something like
that. Check for
On Sat, Jul 29, 2000 at 02:41:51PM -0800, Ethan Benson wrote:
we we could just fix the DoS in gpm, no?
Presumably so, though I'm not sure how the internals of gpm work... it
is conceivable that any data written to that socket in the right format
(or whatever) would be read as valid by the gpm
Do we have any plans in the works for a fix similar to what Red Hat are
doing?
Running potato here, and the permissions on /dev/gpmctl are indeed 777.
I am thinking about changing the group ownership on mine to mouse
(creating that group) and using the /etc/security/group.conf mechanism
to put
I was just about to send this to bugs with a severity of wishlist but
then I figured maybe I'd throw it out here first.
Package: login
Version: 19990827-20
Severity: wishlist
Hello. I was reading the login.defs man page and noted this:
CONSOLE /etc/consoles
or
On Thu, Jul 27, 2000 at 11:56:03PM -0800, Ethan Benson wrote:
pam_group is only relativly secure if your system is installed and
configured a certain way:
Yup, some of that is mentioned in the documentation... nevertheless, it
would be a big improvement over making the socket world-writable.
70 matches
Mail list logo