On Sat, Jan 31, 2015 at 09:58:39AM +0100, Ml Ml wrote:
> Is anyone else facing the same problem? What are your experiences
> doing (blind) automatic security updates.
I've done automatic updates for Debian under cfengine control for nine
years and Ubuntu for perhaps one and a half. I started with
On Fri, Apr 01, 2011 at 11:53:48AM -0300, Rafael Moraes wrote:
> *#pvdisplay*
> --- Physical volume ---
> PV Name /dev/dm-0
> VG Name vg01
> PV Size 148.79 GiB / not usable 1.29 MiB
This:
> Allocatable NO
is your problem: allocation of phy
In /etc/exports, add "no_root_squash"
For example:
/home 192.168.0.0/24(rw,no_root_squash)
On Fri, Aug 27, 2010 at 11:06 AM, Min Wang wrote:
> Hi Security Gurus:
>
> I have following set up:
>
> Multiple Linux PCs use OpenLdap to authenicate, and mount /home to NFS
> server
>
> The goals are:
>
On Tue, Aug 11, 2009 at 10:56:57AM +0200, Joerg Morbitzer wrote:
> I just did a fresh sendmail installation on Debian Etch getting this
> auto-generated new /etc/mail/access file:
>
> titan:~# grep "^Connect:.*RELAY" /etc/mail/access
> Connect:localhost RELAY
> Connect:127
e admin makes it.
> here's my proposed checklist to carry out for securing a domain
> server -
This question comes up on email lists all the time; a quick google
search will complement your list below.
> 1. before attaching server to network install and configure
> tripwi
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote:
> these ports seem to be open by default on a standard sarge setup
[...]
Not a standard, default setup; you've installed and enabled other
services which aren't turned on by default.
> the server will just be s
On Thu, Aug 19, 2004 at 10:44:40AM +0200, Thomas Hungenberg wrote:
> On Sun, 15 Aug 2004 12:34:59 -0600, Will Aoki wrote:
>
> >> Is there a way to make the sshd included with Debian/woody to also log
> >> the usernames an attacker tried to connect with?
> >
> >
On Sun, Aug 15, 2004 at 07:15:18PM +0200, Thomas Hungenberg wrote:
> Hello,
[snip]
> Is there a way to make the sshd included with Debian/woody to also log
> the usernames an attacker tried to connect with?
Set "LogLevel VERBOSE" in /etc/ssh/sshd_config
--
William Aoki KD7YAF [EMAIL PROTECTED]
a problem, no?) Thus my suggestion of saying in exim.conf that
> the only interface the daemon should listen on is loopback.
The default Debian Exim configuration will still work even if you remove
the links and don't start the daemon: local mail submission works via a
setuid binary, not o
a problem, no?) Thus my suggestion of saying in exim.conf that
> the only interface the daemon should listen on is loopback.
The default Debian Exim configuration will still work even if you remove
the links and don't start the daemon: local mail submission works via a
setuid binary, not o
: "
>start-stop-daemon --start --pidfile /var/run/exim/exim.pid \
> --exec $DAEMON -- -bd -q30m
If you remove the '-bd', exim will run as a daemon, but it will only
send mail out (processing its queue). It won't bind tcp/25 to receive
mail.
(Exim will use a di
: "
>start-stop-daemon --start --pidfile /var/run/exim/exim.pid \
> --exec $DAEMON -- -bd -q30m
If you remove the '-bd', exim will run as a daemon, but it will only
send mail out (processing its queue). It won't bind tcp/25 to receive
mail.
(Exim will use a di
On Fri, Jan 23, 2004 at 12:17:00AM -0700, Will Aoki wrote:
> I've attached a slightly cleaned-up version of the password changer that
Perhaps this time I'll remember to attach the file *and* the mailing
list won't reject it...
--
William Aoki KD7YAF [EMAIL PROTECTED]
d; sleep 1; echo $newpasswd; sleep 1;
> > echo $newpasswd) | passwd $user
>
> how about:
>
> echo $user:$newpasswd | chpasswd
Hopefully the script would not actually invoke echo - otherwise, like
anything else passed on the command line, the password will show up in
the process table fo
On Thu, Jan 22, 2004 at 10:04:48PM -0500, Tom White wrote:
> Dear List,
>
> I'm looking for a decent, secure, web based password changer for
> user accounts. Something that I can install on a debian box with a
> minimum amount of tweaking, and that isn't really any less secure than
> a shell user
On Fri, Jan 23, 2004 at 12:17:00AM -0700, Will Aoki wrote:
> I've attached a slightly cleaned-up version of the password changer that
Perhaps this time I'll remember to attach the file *and* the mailing
list won't reject it...
--
William Aoki KD7YAF [EMAIL PROTECTED]
d; sleep 1; echo $newpasswd; sleep 1;
> > echo $newpasswd) | passwd $user
>
> how about:
>
> echo $user:$newpasswd | chpasswd
Hopefully the script would not actually invoke echo - otherwise, like
anything else passed on the command line, the password will show up in
the process table fo
On Thu, Jan 22, 2004 at 10:04:48PM -0500, Tom White wrote:
> Dear List,
>
> I'm looking for a decent, secure, web based password changer for
> user accounts. Something that I can install on a debian box with a
> minimum amount of tweaking, and that isn't really any less secure than
> a shell user
On Mon, Dec 01, 2003 at 03:07:14PM +0100, Francisco Oliveira wrote:
> hi
> I have compiled kernel 2.4.22 for bridge and iptables support.
> Bridge is working ok but Layer 3 packets are only processed if they are
> addressed to bridge box ip address interface.
You need the ebtables patch from http:
On Mon, Dec 01, 2003 at 03:07:14PM +0100, Francisco Oliveira wrote:
> hi
> I have compiled kernel 2.4.22 for bridge and iptables support.
> Bridge is working ok but Layer 3 packets are only processed if they are
> addressed to bridge box ip address interface.
You need the ebtables patch from http:
On Thu, Jul 31, 2003 at 01:50:07PM -0400, Noah L. Meyerhans wrote:
[snip]
>
> libdnet has nothing to do with decnet. Its feature list, as shown on
> http://libdnet.sourceforge.net/ indicates that it does the following:
> * network address manipulation
> * kernel arp(4) cache and route(4)
On Thu, Jul 31, 2003 at 01:50:07PM -0400, Noah L. Meyerhans wrote:
[snip]
>
> libdnet has nothing to do with decnet. Its feature list, as shown on
> http://libdnet.sourceforge.net/ indicates that it does the following:
> * network address manipulation
> * kernel arp(4) cache and route(4)
a sudo. IN an
If someone gets your password, said person will likely be able to
manipulate your account so as get root the next time you su.
OTOH, if you do want the extra security blanket, you could tweak PAM to
have sudo use a different password store or even an entirely different
authentication schem
On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> Hi,
> I'm not sure whether this idea has been considered or implemented
> anywhere, but I have been thinking about it, and believe it would provide a
> fairly high-level of security for systems which only run a few public
> se
e hell spawn of the devil,
but that is just my personal opinion ;-)
Where can I find information about it?
If I was thinking of installing them, I would start here:
http://www.google.com/search?q=frontpage+extensions+unix
But I am not ;-)
Will
[0]A big number
--
Will Jessop
Freela
ll spawn of the devil,
but that is just my personal opinion ;-)
Where can I find information about it?
If I was thinking of installing them, I would start here:
http://www.google.com/search?q=frontpage+extensions+unix
But I am not ;-)
Will
[0]A big number
--
Will Jessop
Freelance web sy
On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote:
> Hello all,
>
> I'm seeing the following in my logs (fairly frequently):
>
> 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667
> HTTP/1.0" 405 303 "-" "-"
> 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST h
On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote:
> Hello all,
>
> I'm seeing the following in my logs (fairly frequently):
>
> 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 HTTP/1.0"
>405 303 "-" "-"
> 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST ht
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote:
> I am working on adding a high score list to a game written in C.
> (It's already packaged.) The high score list will be 664 root:games
> and the game binary will be sgid games --- nothing special here.
> I want to du
On Wed, Dec 11, 2002 at 11:07:11AM +0900, Oohara Yuuma wrote:
> I am working on adding a high score list to a game written in C.
> (It's already packaged.) The high score list will be 664 root:games
> and the game binary will be sgid games --- nothing special here.
> I want to du
m_krb5.so
auth required /lib/security/pam_unix.so shadow md5 nullok likeauth
use_first_pass
> Can anybody tell me the right configuration to cure this last problem,
> so that every computer on our institute can be upgraded to AFS and
> Kerberos ?
>
> Any pointers to documentation or
m_krb5.so
auth required /lib/security/pam_unix.so shadow md5 nullok likeauth use_first_pass
> Can anybody tell me the right configuration to cure this last problem,
> so that every computer on our institute can be upgraded to AFS and
> Kerberos ?
>
> Any pointers to documentation or
On Sun, Aug 25, 2002 at 10:32:54AM -0500, Hanasaki JiJi wrote:
> computer1 and computer2
> - both run woody
> - both have the same /etc/resolve.con
> - both have the same ssh config
>
> ssh from 1 to 2 - no problems
> ssh from 2 to 1 - sshd reports a failed reverse dns lookup
>
u can "break" scp by making the users shell a menu script (i.e.
> /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $
> prompt. You also have to define your menu script as a shell
> (/etc/shell) so regular ftp will still work.
Or you could use pam_listfile or pa
reason to turn off PasswordAuthentication but leave
PAMAuthenticationViaKbdInt on.
[0] in the Debian configuration - if configured at build time without
PAM, PasswordAuthentication will use another mechanism to check
passwords.
--
William Aoki [EMAIL PROTECTED] /"\ ASCII
reason to turn off PasswordAuthentication but leave
PAMAuthenticationViaKbdInt on.
[0] in the Debian configuration - if configured at build time without
PAM, PasswordAuthentication will use another mechanism to check
passwords.
--
William Aoki [EMAIL PROTECTED] /"\ ASCII
On Sun, May 19, 2002 at 11:46:10PM -0400, Bradley Alexander wrote:
> Hey all,
>
> I'm trying to get pam-opie working with openssh, but I guess I'm not
> getting the hang of it. I think I have all of the packages installed:
>
> [EMAIL PROTECTED] storm]$ dpkg -l | grep opie
> ii libpam-opie0.
On Sun, May 19, 2002 at 11:46:10PM -0400, Bradley Alexander wrote:
> Hey all,
>
> I'm trying to get pam-opie working with openssh, but I guess I'm not
> getting the hang of it. I think I have all of the packages installed:
>
> [storm@defiant storm]$ dpkg -l | grep opie
> ii libpam-opie0.21
you control who can receive data from the network, but it
will let you restrict who can send what.
--
William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B <- key change\ / No HTML in mail or news!
99AF A093 29AE 0A
let you control who can receive data from the network, but it
will let you restrict who can send what.
--
William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign
B1FB C169 C7A6 238B 280B <- key change\ / No HTML in mail or news!
99AF A093 29AE 0A
y, time is for NTP,
> and I'm not sure what discard is used for.
'time' is RFC 868, a pre-NTP time synchronization protocol. It just
sends the time as a 32-bit int, where:
"The time is the number of seconds since 00:00 (midnight) 1 January 1900
GMT, such that the ti
day, time is for NTP,
> and I'm not sure what discard is used for.
'time' is RFC 868, a pre-NTP time synchronization protocol. It just
sends the time as a 32-bit int, where:
"The time is the number of seconds since 00:00 (midnight) 1 January 1900
GMT, such that the ti
gt;
Exactly. Perhaps this person's ISP is not the filtering the bogus
messages from reaching it's other customers, or perhaps the messages are
passing through outside routers that are not complying with the RFC, and
allowing them to travel so far. It's most likely that it is
gt;
Exactly. Perhaps this person's ISP is not the filtering the bogus
messages from reaching it's other customers, or perhaps the messages are
passing through outside routers that are not complying with the RFC, and
allowing them to travel so far. It's most likely that it is
s to the outer world. All other ser
vices can be "bugged" just like the above tftp example.
The result is an excellent early-warning system.
If someone on another host with a finger daemon also installed and
similarly wrappered tries to connect to anything wrappered on
s to the outer world. All other ser
vices can be "bugged" just like the above tftp example.
The result is an excellent early-warning system.
If someone on another host with a finger daemon also installed and
similarly wrappered tries to connect to anything wrappered on
ebian.org/security/2000/2719a
[2] http://www.cert.org/advisories/CA-2000-17.html
Hope I have helped.
- Will Wesley, CCNA
"Furious activity is no substitute for understanding."
-- H.H. Williams
ebian.org/security/2000/2719a
[2] http://www.cert.org/advisories/CA-2000-17.html
Hope I have helped.
- Will Wesley, CCNA
"Furious activity is no substitute for understanding."
-- H.H. Williams
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote:
>
> Hi,
> I have a security question:
> On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server:
> should I open(accept) or close(deny, perhaps reject?) the port 113???
Accept if you've chosen to run an ident server; otherwise, reject, but
don'
On Sat, Feb 09, 2002 at 09:39:00PM +0100, Johannes Weiss wrote:
>
> Hi,
> I have a security question:
> On my HTTP(s)/MAIL(SMTP,POP,IMAP)/SSH-Server:
> should I open(accept) or close(deny, perhaps reject?) the port 113???
Accept if you've chosen to run an ident server; otherwise, reject, but
don
On Fri, Feb 01, 2002 at 04:22:43PM +0100, Laurent Luyckx wrote:
> En réponse à Nemesis <[EMAIL PROTECTED]>:
>
> > Hello everybuddy:
> >
> > One question, please.
> >
> > When nessus gives a report and says
> >
> > "The remote SMTP server allows the relaying. This means that
> > it allows spamm
On Fri, Feb 01, 2002 at 04:22:43PM +0100, Laurent Luyckx wrote:
> En réponse à Nemesis <[EMAIL PROTECTED]>:
>
> > Hello everybuddy:
> >
> > One question, please.
> >
> > When nessus gives a report and says
> >
> > "The remote SMTP server allows the relaying. This means that
> > it allows spam
On Sun, Jan 20, 2002 at 01:41:44AM -0600, Nathan E Norman wrote:
> Hi,
>
> I'm setting up a project for some friends. I want each of them to
> have their own account, but I want the project to be hosted (and run
> under) a seperate account. Each user should be able to su to the
> project account
On Sun, Jan 20, 2002 at 01:41:44AM -0600, Nathan E Norman wrote:
> Hi,
>
> I'm setting up a project for some friends. I want each of them to
> have their own account, but I want the project to be hosted (and run
> under) a seperate account. Each user should be able to su to the
> project accoun
, and more accurate.
Anyone wanna flame me, add to my thoughts, or compliment me? I guess as
a side note, I shouldn't say "we" since I doubt I am really eligible to
be a major contributer to such a project... Just my two cents, anyhow.
-Will Wesley
Great way to learn about mknod...
bo
, and more accurate.
Anyone wanna flame me, add to my thoughts, or compliment me? I guess as
a side note, I shouldn't say "we" since I doubt I am really eligible to
be a major contributer to such a project... Just my two cents, anyhow.
-Will Wesley
Great way to learn about mknod...
On Mon, Jan 14, 2002 at 12:17:15PM +, Iain Tatch wrote:
> On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote:
>
> >> Have I missed something and was I already OK, or is the current stable
> >> potato release shipping with a potential ssh security hole?
>
> > AFAIK, all SSH1 connections
On Mon, Jan 14, 2002 at 12:17:15PM +, Iain Tatch wrote:
> On 14 January 2002 at 11:48:34 [EMAIL PROTECTED] wrote:
>
> >> Have I missed something and was I already OK, or is the current stable
> >> potato release shipping with a potential ssh security hole?
>
> > AFAIK, all SSH1 connections
On Sun, Jan 13, 2002 at 07:05:10PM +0200, Jussi Ekholm wrote:
> Will Aoki <[EMAIL PROTECTED]> wrote:
>
> > Jan 12 20:54:43 badkey sshd[14848]: Connection from 127.0.0.1 port 4074
> [snip...]
>
> I would've wanted to ask, why I'm getting this kind of messag
On Sun, Jan 13, 2002 at 07:05:10PM +0200, Jussi Ekholm wrote:
> Will Aoki <[EMAIL PROTECTED]> wrote:
>
> > Jan 12 20:54:43 badkey sshd[14848]: Connection from 127.0.0.1 port 4074
> [snip...]
>
> I would've wanted to ask, why I'm getting this kind of messag
On Mon, Jan 07, 2002 at 08:00:02PM +0100, Luc MAIGNAN wrote:
> Hi,
>
> my SSH connections don't go to the 'auth.log' file, but the sshd_config seems
> to be good. What can happen ?
Do you mean that you're not seeing *any* messages from sshd in the log
file, or that sshd is logging, but that you
On Mon, Jan 07, 2002 at 08:00:02PM +0100, Luc MAIGNAN wrote:
> Hi,
>
> my SSH connections don't go to the 'auth.log' file, but the sshd_config seems
> to be good. What can happen ?
Do you mean that you're not seeing *any* messages from sshd in the log
file, or that sshd is logging, but that you
cracker adds his own
super user account to /etc/passwd, tripwire can notify you that there
was a change to that file. this is good for recovering by the "maybe
it'll be safe once i remove all the changes method" and/or identifying a
break in. however if you have been following thi
cracker adds his own
super user account to /etc/passwd, tripwire can notify you that there
was a change to that file. this is good for recovering by the "maybe
it'll be safe once i remove all the changes method" and/or identifying a
break in. however if you have been following thi
hat receives a
request for a document with a preferred language of 'en-GB, fr' when both
an 'en' and 'fr' version exist will serve the French one. It will only
serve the English document before the French one if there is a version of
the file with en-gb for the language
hat receives a
request for a document with a preferred language of 'en-GB, fr' when both
an 'en' and 'fr' version exist will serve the French one. It will only
serve the English document before the French one if there is a version of
the file with en-gb for the language
mestamp file per user, instead of one per user per tty) I can wait
for the victim to sudo, and then sudo without entering his password.
3 and 4:
If the system's running Samba, access to /etc/smbpasswd lets me log in
to Samba as anyone who appears in /etc/smbpasswd. If the system is usin
do, and then sudo without entering his password.
3 and 4:
If the system's running Samba, access to /etc/smbpasswd lets me log in
to Samba as anyone who appears in /etc/smbpasswd. If the system is using
Netatalk with randnum authentication, users' AppleTalk passwords will
be sto
68 matches
Mail list logo