Are you sure that they portscanned you and not someone faking that IP?
according to arin:
OrgName:Distributed Network Technical Support
OrgID: DNTS
NetRange: 198.175.98.0 - 198.175.98.255
CIDR: 198.175.98.0/24
NetName:INTEL-IT35
NetHandle: NET-198-175-98-0-1
Parent: NET
Are you sure that they portscanned you and not someone faking that IP?
according to arin:
OrgName:Distributed Network Technical Support
OrgID: DNTS
NetRange: 198.175.98.0 - 198.175.98.255
CIDR: 198.175.98.0/24
NetName:INTEL-IT35
NetHandle: NET-198-175-98-0-1
Parent: NE
Well, as I understand it, the trojan run only when you compile the code
... it's not in the sshd program. So, you can only have it if you compiled
the code yourself. If so, you can just check the md5 sums from the
advisory.
-rishi
On Mon, 5 Aug 2002, Halil Demirezen wrote:
> Hi a
Does mod_ssl support the new apache yet?
-rishi
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
I think the Banner tag is meant for text files. I assume you're trying to
display some information that changes every so often. I see two ways of
doing this:
1) set up a cron job to run every so often and update the file and set the
"Banner" tag to the file.
2) configure sshd to run with TCPwrappe
I think the Banner tag is meant for text files. I assume you're trying to
display some information that changes every so often. I see two ways of
doing this:
1) set up a cron job to run every so often and update the file and set the
"Banner" tag to the file.
2) configure sshd to run with TCPwrapp
I looked into shorewall. It doesn't support ipchains, but seawall does.
Would you suggest updating to iptables or using seawall?
Do you think that Linux 2.4.x is stable yet? If so, which version?
I believe that ipchains can do the job and that linux 2.2.20 is stable. I
don't have experience in 2.
Does anyone have a set of ipchains rules for a DMZ that doesn't have
routable IPs and an internal network that doesn't have routable IPs?
I looked on the IPCHAINS HOWTO page, but they don't have a script for
this. I haven't seen anything with google either.
I'm looking for something like this:
I
I looked into shorewall. It doesn't support ipchains, but seawall does.
Would you suggest updating to iptables or using seawall?
Do you think that Linux 2.4.x is stable yet? If so, which version?
I believe that ipchains can do the job and that linux 2.2.20 is stable. I
don't have experience in 2
Does anyone have a set of ipchains rules for a DMZ that doesn't have
routable IPs and an internal network that doesn't have routable IPs?
I looked on the IPCHAINS HOWTO page, but they don't have a script for
this. I haven't seen anything with google either.
I'm looking for something like this:
Sounds like you have some cron jobs running every five minutes. Check your
/etc/crontab, /etc/cron.d, /etc/crond.daily. See if you can find the jobs
that's running every five minutes. If someone was trying to login, it
would say which tty they were logging in from, or it would have associated
sshd
Sounds like you have some cron jobs running every five minutes. Check your
/etc/crontab, /etc/cron.d, /etc/crond.daily. See if you can find the jobs
that's running every five minutes. If someone was trying to login, it
would say which tty they were logging in from, or it would have associated
sshd
> (we are also not releasing *too* many of these yet, when we do the Ghost
> licensing fees might be higher than is justified).
when Ghost is prohibitive, consider using "dd", the standard unix disk
dump tool.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Troubl
> (we are also not releasing *too* many of these yet, when we do the Ghost
> licensing fees might be higher than is justified).
when Ghost is prohibitive, consider using "dd", the standard unix disk
dump tool.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Troub
> Anne Carasik <[EMAIL PROTECTED]> wrote on 13/05/2002 (17:55) :
> > Security issues? Can you be more specific?
> >
> > There aren't any security issues (yet) with the SSH 2.0 protocol.
> >
> > From what I know, there aren't any issues using mindterm for 2.0
> > either :)
> >
>
> But the Mindterm
> Anne Carasik <[EMAIL PROTECTED]> wrote on 13/05/2002 (17:55) :
> > Security issues? Can you be more specific?
> >
> > There aren't any security issues (yet) with the SSH 2.0 protocol.
> >
> > From what I know, there aren't any issues using mindterm for 2.0
> > either :)
> >
>
> But the Mindterm
are you running portmapper? If so, you need to look if these ports are
mapped to specific things via rpcinfo. Also, you can use lsof for solaris.
On Sun, 12 May 2002, dave toh wrote:
> Hi,
>
> A firewall had detected that one of my machine (solaris 2.6) is broadcasting
> port 32703/32705/32706 ev
are you running portmapper? If so, you need to look if these ports are
mapped to specific things via rpcinfo. Also, you can use lsof for solaris.
On Sun, 12 May 2002, dave toh wrote:
> Hi,
>
> A firewall had detected that one of my machine (solaris 2.6) is broadcasting
> port 32703/32705/32706 e
You need to open port 53 for tcp and udp. Another way you can look at it
is to log all packets you DENY (or REJECT) and see what your DNS is trying
to do.
-rishi
On Mon, 6 May 2002, Gary MacDougall wrote:
> Damn!! I hit send before editing this message. Sorry!
> Please read this
You need to open port 53 for tcp and udp. Another way you can look at it
is to log all packets you DENY (or REJECT) and see what your DNS is trying
to do.
-rishi
On Mon, 6 May 2002, Gary MacDougall wrote:
> Damn!! I hit send before editing this message. Sorry!
> Please read thi
> My imagine:
> 1. Apache with PHP, and some cgi could be enabled (perl, etc.)
> 2. FTP for each Apache web
Use ssh and scp or sftp instead.
> 3. Some e-mails for each web (better with webmail+antivir)
IMAP or POP3 over SSL ...
> 4. Primary DNS server for each web
Only one DNS server serve
> My imagine:
> 1. Apache with PHP, and some cgi could be enabled (perl, etc.)
> 2. FTP for each Apache web
Use ssh and scp or sftp instead.
> 3. Some e-mails for each web (better with webmail+antivir)
IMAP or POP3 over SSL ...
> 4. Primary DNS server for each web
Only one DNS server serv
see the SSH_CLIENT environment variable.
(set | grep SSH) for bash (w/o the parenthesis)
(setenv | grep SSH) for tcsh and csh (w/o the parenthesis)
Also, look into getting an account with dyndns so you will have a static
FQDN but a dynamic IP that can be looked up.
-ris
see the SSH_CLIENT environment variable.
(set | grep SSH) for bash (w/o the parenthesis)
(setenv | grep SSH) for tcsh and csh (w/o the parenthesis)
Also, look into getting an account with dyndns so you will have a static
FQDN but a dynamic IP that can be looked up.
-ri
It seems to accomplish the example you posed, you need 2 external IPs.
Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do:
ftp1 -> 1.1.1.1
ftp2 -> 1.1.1.2
www1 -> 1.1.1.1
www2 -> 1.1.1.2
And on your firewall do:
1.1.1.1 port 21 -> 192.168.0.10
1.1.1.2 port 21 -> 192.168.0.50
It seems to accomplish the example you posed, you need 2 external IPs.
Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do:
ftp1 -> 1.1.1.1
ftp2 -> 1.1.1.2
www1 -> 1.1.1.1
www2 -> 1.1.1.2
And on your firewall do:
1.1.1.1 port 21 -> 192.168.0.10
1.1.1.2 port 21 -> 192.168.0.50
I'm not sure which are secure. However, if you plan to use any of them, I
suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your
hosts.allow file and explicitly allow only certain machines to access your
box.
Also, consider running whichever finger daemon as a separate user (i.e.
I'm not sure which are secure. However, if you plan to use any of them, I
suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your
hosts.allow file and explicitly allow only certain machines to access your
box.
Also, consider running whichever finger daemon as a separate user (i.e.
Another way to do it is setup an automatic proxy script that tells the
browser which port on the squid box to go to. Then you can periodically
change the port. (Or you can just change to an obscure port and hope less
people find it).
-rishi
On Tue, 4 Dec 2001, Chris Harrison wrote
Another way to do it is setup an automatic proxy script that tells the
browser which port on the squid box to go to. Then you can periodically
change the port. (Or you can just change to an obscure port and hope less
people find it).
-rishi
On Tue, 4 Dec 2001, Chris Harrison wrot
> On another server, which I have squid running and want running, I keep
> getting accesses from http://service.bfast.com/bfast/serve and someone
> seems to be accessing web pages late at night when everyone has gone
> home. Trouble is, the IP addresses that access squid don't have host
> names (i
> On another server, which I have squid running and want running, I keep
> getting accesses from http://service.bfast.com/bfast/serve and someone
> seems to be accessing web pages late at night when everyone has gone
> home. Trouble is, the IP addresses that access squid don't have host
> names (
How are you creating a new user directory? are you mkdir'ing directly or
using a program like useradd? If you are mkdir'ing, change your umask (be
aware, this changes the umask of ALL of your newly created files. If
you are using useradd, look into the -D option. If you are using some
other method,
How are you creating a new user directory? are you mkdir'ing directly or
using a program like useradd? If you are mkdir'ing, change your umask (be
aware, this changes the umask of ALL of your newly created files. If
you are using useradd, look into the -D option. If you are using some
other method
How about Cntrl-Alt-Del? That shuts down a debian box without even logging
in. As far as accountablity ... you could do it the old fashioned way and
have a sign in sheet ... one stupid policy deserves another.
-rishi
On 28 Nov 2001, Olaf Meeuwissen wrote:
> Blake Barnett <[EMAIL
How about Cntrl-Alt-Del? That shuts down a debian box without even logging
in. As far as accountablity ... you could do it the old fashioned way and
have a sign in sheet ... one stupid policy deserves another.
-rishi
On 28 Nov 2001, Olaf Meeuwissen wrote:
> Blake Barnett <[EMAIL
I think the only way to accomplish a chroot IS to include all the files in
the jail that the user needs.
-rishi
On 26 Oct 2001, Paul Fleischer wrote:
>
> On Fri, 2001-10-26 at 15:51, Rishi L Khan wrote:
> > Set the shell for the user in /etc/passwd to a script that
Set the shell for the user in /etc/passwd to a script that chroots and
then spawns a shell.
-rishi
On Fri, 26 Oct 2001, Javier [iso-8859-1] Fern?ndez-Sanguino Pe?a wrote:
> I have been asked for this and I was trying to figure out how to do it
> (would document it later on in the
I think the only way to accomplish a chroot IS to include all the files in
the jail that the user needs.
-rishi
On 26 Oct 2001, Paul Fleischer wrote:
>
> On Fri, 2001-10-26 at 15:51, Rishi L Khan wrote:
> > Set the shell for the user in /etc/passwd to a script that
Set the shell for the user in /etc/passwd to a script that chroots and
then spawns a shell.
-rishi
On Fri, 26 Oct 2001, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:
> I have been asked for this and I was trying to figure out how to do it
> (would document it later on in th
You can setup logcheck and cron to check every minute for "suspcious" log
entries (as you define them) and have them emailed to you. Additionally,
you can edit the logcheck.sh file and have it notify you anyway you like.
-rishi
On 15 Sep 2001, Russell Speed wrote:
> Thanks, I wil
consider using tripwire on your computers in the future. This way you can
create a database of md5sums of all important programs and store them on a
disk in your drawer. Then you'll know what was hacked and what wasn't.
-rishi
On 15 Sep 2001, Momchil Velikov wrote:
> > "Dimit
You can setup logcheck and cron to check every minute for "suspcious" log
entries (as you define them) and have them emailed to you. Additionally,
you can edit the logcheck.sh file and have it notify you anyway you like.
-rishi
On 15 Sep 2001, Russell Speed wrote:
> Thanks, I wi
consider using tripwire on your computers in the future. This way you can
create a database of md5sums of all important programs and store them on a
disk in your drawer. Then you'll know what was hacked and what wasn't.
-rishi
On 15 Sep 2001, Momchil Velikov wrote:
> > "Dimi
If you're not using sunrpc or lpd, I would turn them off. The way I do it
is turn off the services (/etc/init.d/portmap stop; /etc/init.d/lpd
stop) and then edit /etc/init.d/lpd and /etc/init.d/portmap and add a
line near the top that says "exit 0" (w/o quotes) so that when you
restart, they don't
If you're not using sunrpc or lpd, I would turn them off. The way I do it
is turn off the services (/etc/init.d/portmap stop; /etc/init.d/lpd
stop) and then edit /etc/init.d/lpd and /etc/init.d/portmap and add a
line near the top that says "exit 0" (w/o quotes) so that when you
restart, they don't
Maybe that's the same trick that got him on the list in the first place...
-rishi
On Sun, 2 Sep 2001, Wade Richards wrote:
> Hi Everyone,
>
> On Sat, 01 Sep 2001 22:36:44 MDT, John Galt writes:
> >Yeah, but when's the last time you heard from him? Methinks that he got
> >hit by
Maybe that's the same trick that got him on the list in the first place...
-rishi
On Sun, 2 Sep 2001, Wade Richards wrote:
> Hi Everyone,
>
> On Sat, 01 Sep 2001 22:36:44 MDT, John Galt writes:
> >Yeah, but when's the last time you heard from him? Methinks that he got
> >hit by
Does his script parse the HTTP headers, or look at the originating IP. If
he parses the headers, then you can spoof that with telnet. If he uses the
orginating IP, then a proxy is the only easy way.
-rishi
On Tue, 10 Apr 2001, mafkees wrote:
> On Tue, Apr 10, 2001 at 08:29:10PM +
Does his script parse the HTTP headers, or look at the originating IP. If
he parses the headers, then you can spoof that with telnet. If he uses the
orginating IP, then a proxy is the only easy way.
-rishi
On Tue, 10 Apr 2001, mafkees wrote:
> On Tue, Apr 10, 2001 at 08:29:10PM
I think he's right ... Also, 169.254.x.x is indicative of a windows
machine that is looking for DHCP but doesn't get it. So, it's probably
NAT's outside of your network.
-rishi
On Sat, 31 Mar 2001, Aaron Dewell wrote:
>
> I assume that is on the ethernet side facing the ISP? Or
I think he's right ... Also, 169.254.x.x is indicative of a windows
machine that is looking for DHCP but doesn't get it. So, it's probably
NAT's outside of your network.
-rishi
On Sat, 31 Mar 2001, Aaron Dewell wrote:
>
> I assume that is on the ethernet side facing the ISP? Or
I when you say "their account" do you mean they have an account on the
machine you're seeting up accounts for? Or is this machine some kind of
"public kiosk" where anyone can get on?
Allowing anyone to telnet in is a BAD idea. That means a script kiddie
from Belguim can telnet in. If you want to s
I when you say "their account" do you mean they have an account on the
machine you're seeting up accounts for? Or is this machine some kind of
"public kiosk" where anyone can get on?
Allowing anyone to telnet in is a BAD idea. That means a script kiddie
from Belguim can telnet in. If you want to
The way i'd do it is set the last field of the /etc/shadow (the shell
field) to /usr/bin/false.
-rishi
On Tue, 13 Mar 2001, Kenneth Pronovici wrote:
> Hello -
>
> I'm not sure exactly where to look for this information, so if I should
> RTFM, just point me toward the right one.
>
The way i'd do it is set the last field of the /etc/shadow (the shell
field) to /usr/bin/false.
-rishi
On Tue, 13 Mar 2001, Kenneth Pronovici wrote:
> Hello -
>
> I'm not sure exactly where to look for this information, so if I should
> RTFM, just point me toward the right one.
Maybe use tcp wrappers? That's how I'd do it.
-rishi
On Sat, 10 Mar 2001, Jamie Heilman wrote:
> Piotr Tarnowski wrote:
>
> > If not can I limit allowed clients somehow ? (I noticed that DENY on
> > ipchains to others than my reference external server limits ntptrace
> > usage).
Maybe use tcp wrappers? That's how I'd do it.
-rishi
On Sat, 10 Mar 2001, Jamie Heilman wrote:
> Piotr Tarnowski wrote:
>
> > If not can I limit allowed clients somehow ? (I noticed that DENY on
> > ipchains to others than my reference external server limits ntptrace
> > usage).
I use the iXplorer and putty. This does GUI scp, but it looks like GUI
ftp.
On Wed, 21 Feb 2001, Adam Spickler wrote:
> What about if you are going from a Windows box to a *nix box. Is there any way to
>do secure ftp transfers. Mail, for me is no problem. I ssh into my machines and use
>"Mu
I use the iXplorer and putty. This does GUI scp, but it looks like GUI
ftp.
On Wed, 21 Feb 2001, Adam Spickler wrote:
> What about if you are going from a Windows box to a *nix box. Is there any
> way to do secure ftp transfers. Mail, for me is no problem. I ssh into my
> machines and use "M
I use:
gtar cf . - | ssh target "gtar xvpB -"
-rishi
On Sat, 17 Feb 2001, Nathan E Norman wrote:
> On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote:
> > On Sat, Feb 17, 2001 at 02:49:03PM +0100, Thor wrote:
> > ...
> > > Speak for cloning a single partition then i
I use:
gtar cf . - | ssh target "gtar xvpB -"
-rishi
On Sat, 17 Feb 2001, Nathan E Norman wrote:
> On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote:
> > On Sat, Feb 17, 2001 at 02:49:03PM +0100, Thor wrote:
> > ...
> > > Speak for cloning a single partition then
62 matches
Mail list logo
