unsubscruibe
Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
very bad news On Tue, 13 May 2008 14:06:39 +0200, Florian Weimer [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1571-1 [EMAIL PROTECTED] http://www.debian.org/security/ Florian Weimer May 13, 2008 http://www.debian.org/security/faq - Package: openssl Vulnerability : predictable random number generator Problem type : remote Debian-specific: yes CVE Id(s) : CVE-2008-0166 Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. A detector for known weak key material will be published at: http://security.debian.org/project/extra/dowkd/dowkd.pl.gz http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc (OpenPGP signature) Instructions how to implement key rollover for various packages will be published at: http://www.debian.org/security/key-rollover/ This web site will be continously updated to reflect new and updated instructions on key rollovers for packages using SSL certificates. Popular packages not affected will also be listed. In addition to this critical change, two other vulnerabilities have been fixed in the openssl package which were originally scheduled for release with the next etch point release: OpenSSL's DTLS (Datagram TLS, basically SSL over UDP) implementation did not actually implement the DTLS specification, but a potentially much weaker protocol, and contained a vulnerability permitting arbitrary code execution (CVE-2007-4995). A side channel attack in the integer multiplication routines is also addressed (CVE-2007-3108). For the stable distribution (etch), these problems have been fixed in version 0.9.8c-4etch3. For the unstable distribution (sid) and the testing distribution (lenny), these problems have been fixed in version 0.9.8g-9. We recommend that you upgrade your openssl package and subsequently regenerate any cryptographic material, as outlined above. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.dsc Size/MD5 checksum: 1099 5e60a893c9c3258669845b0a56d9d9d6 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz Size/MD5 checksum: 3313857 78454bec556bcb4c45129428a766c886 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.diff.gz Size/MD5 checksum:55320 f0e457d6459255da86f388dcf695ee20 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_alpha.deb Size/MD5 checksum: 1025954 d82f535b49f8c56aa2135f2fa52e7059 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_alpha.deb Size/MD5 checksum: 4558230 399adb0f2c7faa51065d4977a7f3b3c4 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_alpha.deb Size/MD5 checksum: 2620892
Re: [SECURITY] [DSA 2896-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear all, We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? Thanks in advance for all your help, Daniel Salvatore Bonaccorso wrote: - Debian Security Advisory DSA-2896-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2014 http://www.debian.org/security/faq - Package: openssl CVE ID : CVE-2014-0160 Debian Bug : 743883 A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5. For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1. For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSAmqAAoJEJhsX8U2K7jUaD0H/2FUZIr4qKST1NCAKrgjP53V jQknF8erQrGhUrP1hKE2FckuKJljeUAv6rUEVJCiuEPWmCgL08Eoy1SZuIG2S72q vRbfyYaIz2GKVoGdbkW0GMe963mLUhJ1H5PdcPrsApUZ9AcwQPYKGqLx4/TTrOsB nbr19ELLQbZCfE8SsUuMDpy/bHeF3c9gb5iUhcnpow6KIjzYGKaJfhiV6HxVlkDX krdkegdOUn2wKu/deLoARpMqyz6a7son8YcbQ71/XIogtGnxY0L4T9Nabj4NChB/ ggIu+7x62teyb56vToySrXKF5HaqDE2Bna7cJSlD0ia64ME1yG/4joL93Jt10IY= =kDpQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk
Re: Aw: Re: [SECURITY] [DSA 2896-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thank you all for your help. Mod_spdy has a statically-linked vulnerable version of OpenSSL. After the standard update we are no longer vulnerable. Daniel Estelmann, Christian wrote: Your server talks spdy. Have you upgraded mod_spdy to 0.9.4.2? (for mod_spy you need an Apache HTTP Server 2.4.X, in squeeze there is only 2.2.16 ...) Gesendet: Freitag, 11. April 2014 um 17:26 Uhr Von: daniel dan...@noflag.org.uk An: debian-security@lists.debian.org Cc: - Noflag ad...@lists.noflag.org.uk Betreff: Re: [SECURITY] [DSA 2896-1] openssl security update Dear all, We are very concerned about the 'Heartbeat' security problem which has been discovered with OpenSSL. Thanks to our out-of-date old-stable version of debian, we are using: openssl 0.9.8o-4squeeze14 This page also claims debian 6 (which we use) is unaffected: https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability as does the text of the DSA below. However, both of the heartbeat vulnerability checkers we have used have told us that they were able to successfully exploit this vulnerability against our site: http://filippo.io/Heartbleed/#noflag.org.uk https://www.ssllabs.com/ssltest/analyze.html?d=noflag.org.uk What could be going on here? Thanks in advance for all your help, Daniel Salvatore Bonaccorso wrote: - Debian Security Advisory DSA-2896-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2014 http://www.debian.org/security/faq - Package: openssl CVE ID : CVE-2014-0160 Debian Bug : 743883 A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5. For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1. For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534809aa.2000...@noflag.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTSJ6JAAoJEJhsX8U2K7jUalEH/1z4Se3I715yhKe0CKmA67qU ngPQO8OxRmq9NxdWz+S5+htXEoX8MIF0PF6MIqNmN9toMhBEgGObTuG0UlxRgVa7 6T/6JaWm45Ivl3m8t8enwRddunjFWKTU4/M91eOOsdTmGt8Y7CHuYtN3NoPUMVHf vUQeyMuWIawS+HiJl0eXTVb3522jVavnkh/WKOTcHGUeTSBBt95DErG2cldCuIXY Vbru6nsAgNdEwL7dOxpqtsyXNWfCoBJCjsDAZD2nNs1z12Zv0Dx/GHvXf9z2HnH2 3+MIXS2nzgd1+F+tzzNxXlVergp3Q9zLlELckmJwTpvKDrF/hc0eHBYosn2m05k= =N86v -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53489e89.2070...@noflag.org.uk
Re: Debians security features: Which are active?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 It would however be useful for Debian administrators interested in security to know somehow what these features do, under what circumstances they would be useful, and how to enable them in Debian. I found the Hardening Debian guides on the wiki (linked to earlier) difficult to understand and apply in this regard. Daniel Cédric Lemarchand wrote: Please, honestly, do you know what every features in this list does, how they could be benefit for you and in which way ? Or did your choice will *only* be based on the number of supported/enabled features ? Le 17/05/2014 12:38, herzogbrigit...@t-online.de a écrit : Thank you for all your replies. I understand that the user is important for security, but it's a difference whether you start from scratch or you can work with somethink prebuilt. So, could you tell me, which of the following securit features are enabled in Debian by default and which I have to activate manually: Stack Protector Heap Protector Pointer Obfuscation Stack ASLR Libs/mmap ASLR Exec ASLR brk ASLR VDSO ASLR Built as PIE Built with Fortify Source Built with RELRO Built with BIND_NOW Non-Executable Memory /proc/$pid/maps protection Symlink restrictions Hardlink restrictions ptrace scope 0-address protection /dev/mem protection /dev/kmem disabled Block module loading Read-only data sections Stack protector Module RO/NX Kernel Address Display Restriction Blacklist Rare Protocols Syscall Filtering Block kexec For further information go to https://wiki.ubuntu.com/Security/Features Thank you very much! Brigitte Herzog -Original-Nachricht- Betreff: Debians security features in comparison to Ubuntu Datum: Fri, 16 May 2014 22:04:07 +0200 Von: herzogbrigit...@t-online.de herzogbrigit...@t-online.de An: debian-security@lists.debian.org Hello there, I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features So, I'm very happy with Debian but because my friend seems to be an expert for Linux, I don't know if I can use Debian. Can you tell me which of the security features promoted by Ubuntu are also enabled in Debian? Thank you very much! Brigitte Herzog Mit einer kostenlosen E-Mail-Adresse @t-online.de werden Ihre Daten verschlüsselt übertragen und in Deutschland gespeichert. www.t-online.de/email-kostenlos -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJTd0rKAAoJEJhsX8U2K7jUbSAIAI11RQsZyXq38rbbncsh59Vv +7TX+olQ7B6tbQEbJ9pQD85GNjmt1UvEcaoDYmPyPI4NSoX6Y6bgb8QCStEAsgYo ci4HlEatDiaSrj2vzYEqZdpeMYJX09XArZEhtDJTrbGLCF2upu11LlhXVqPbku33 B4gQbIZEzfCUP0S9ZaRt81bsR6UKPji7I5Z8LHr9bTYHRts4JNySnGFxkL5u1FoY WF8xsoRhDfNtI74KcMMJg0okeur7kgQIY2928ZM5O+LLyCutbGlnI17Rv5P0JR8n 5xpnhSsWVlgyvNgPA6agnHz1Ss92DTfE2BEdUSQmM3Imp6B5WCwPoosL/CschUQ= =rkAX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53774aca.9080...@noflag.org.uk
Re: Debian mirrors and MITM
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote: Several times (public and private) I tried to explain how the download of APT (the binary itself) on an initial Debian install could be compromised via MITM since it's over plaintext. Then the verification of packages could simply be skipped (hence NOP). I'm not sure why you're bringing libc and libgpg into the conversation. Alfie Hello. The thing is: When you download an .iso file, that .iso file also contains a signing key used to verify each package it downloads during the installation. Encryption is not important in this aspect, because what you are downloading is already publicly available and not secret. Everyone can download the same packages as the installer. Those are already public. The important bit is to verify that what you are downloading either manually, or via the installer, hasn't been tampered with. That is verification, and that is what is interesting here. The .iso file already contains a public key, and verifies every package it downloads along the way. You can disable that by hacking a bit in the installer, but it does requires an effort. For the next problem: Some mirror might theoretically have an .iso file which has been tampered with, but you should check the checksum for that file with what you find in the debian web-pages. If you download a .iso file via HTTP, it might have been tampered with, and if someone is intercepting your request for the public key, it might be changed. But i think that would be a problem anyways... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140530141605.GC17668@s1.t11.local
Re: concrete steps for improving apt downloading security and privacy
On Mon, Jul 07, 2014 at 02:54:15PM -0400, Hans-Christoph Steiner wrote: Do you have another idea for making it difficult for network observers to keep track of the software people are using? Well, you can always mirror the entire repository and configure your server/desktop to use that instead. That way noone can tell for certain which packages you are using, and as a bonus, you have offline access if your internet connection goes down. I am not sure about the size of it though. Do you think it does not matter that governments and companies are tracking the packages that people are downloading? .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140708211638.gc24...@noserver.visp.name
Re: vacation mail
It's not the first, and it won't be the last. Y'know, if I was a malicious individual I might lurk the Debian security mailing lists until I saw such an announcement, and then wait for a security vulnerability, for example [DSA 2998-1] to be posted thereafter. Deducing that the individual or their organisation ran Debian, I might then scan or probe the domain which issued to vacation mail to ascertain if they were vulnerable. Having all the information I needed to take advantage of the vulnerability in the DSA, I might then attack said individual or their organisation, safe in the knowledge that they would not be back in the office to deal with the problem until August 25th. Such vacation mails would make my job alot easier. IT is fortunate for the senders of such mails that I am not a malicious individual. Best regards, Daniel On 6 Aug 2014, at 09:49, Grond wrote: Bugger, but someone has *reeaally* poor manners. A vacation notice to a mailing list? I mean; really? I do *hope* that we will not be spammed by this until August 25th. (I realize that this rant may not meet minimum notability for this list.) On Tue, Aug 05, 2014 at 08:13:31PM +0200, programac...@sf-informatica.com wrote: Els missatges enviats a aquesta adreça de correu no s'atendran fins al 25 d'agost. Si us plau, si és urgent, posi's en contacte amb urgenc...@sf-informatica.com. Disculpi les molèsties. Los mensajes enviados a esta dirección de correo no se atenderán hasta el 25 de agosto. Por favor, si es urgente, póngase en contacto con urgenc...@sf-informatica.com. Disculpe las molestias. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140805181331.32e066041d...@11vs2.vspain.net -- Attached is my PGP public key. Primary key fingerprint: B7C7 AD66 D9AF 4348 0238 168E 2C53 D8FA 55D8 9FD9 If you have a PGP key (and a minute to spare) please send it in reply to this email. If you have no idea what PGP is, feel free to ignore all this gobbledegook. Mail Attachment -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/646a2551-a655-4620-b57f-46a5cbed4...@noflag.org.uk
Re: are unattended updates a good idea?
On Sat, Jan 31, 2015 at 02:50:31PM +0100, Ml Ml wrote: Thank you very much! Your comments has been really helpful. Cheers, Mario On Sat, Jan 31, 2015 at 12:53 PM, Michael Zoet michael.z...@zoet.de wrote: Hi, Hello List, i have got about 50 Debian 6+7 Servers. They are doing all kind of things like Webserver, Mailserver, DNS, etc… I am using apticron to keep track of the updates, but i seem to use more and more time updating the hosts. Also, you should note that some services might be restarted automatically during this process, so if you have long running nightly jobs or something similar it might cause some issues. This issue could also true in reverse; Some service might have to be manually restarted to load updated libraries and such. MySQL server upgrades might break nightly jobs because of restarts, kernel upgrades would probably need a reboot etc so you should keep an eye on these things. That being said: We have used unattended-upgrades on our servers for a couple of years and we have never had any problems with the packages themselves yet though, so this seems to be a smaller problem. Still, you should consider having a test server with tools like needsrestart and apt-listchanges, and a test suite for your applications to check if they still work with the new packages and that every service is back to normal afterwards. Just sharing my thoughts about this. - Daniel -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150201051415.gb19...@noserver.visp.name
Re: funny rpc.statd events
This was fixed a month or two before potato was released. On Tue, Oct 10, 2000 at 09:09:52PM -0500, Herbert Ho wrote: hi guys. i have logcheck installed so i got this message tonight: (sorry about the long lines, its the way it came to me) Unusual System Events =-=-=-=-=-=-=-=-=-=-= Oct 10 19:31:37 thosolin Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2! ! 20\220\220\220\220\220\220\220\220\220\220 Oct 10 19:31:37 thosolin Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ Oct 10 19:31:37 thosolin Oct 10 19:31:37 thosolin syslogd: Cannot glue message parts together Oct 10 19:31:37 thosolin /sbin/rpc.statd[125]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2! ! 20\220\220\220\220\220\220\220\220\220\220 Oct 10 19:31:37 thosolin Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ it's nasty. sorry. =p so should i be worried? and is the rpc.statd a security risk? i have potato-based, "testing" installed. thanks in advance. herbert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Dan /\ /----\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: funny rpc.statd events
On Tue, Oct 10, 2000 at 10:28:39PM -0400, Ben Pfaff wrote: Daniel Jacobowitz [EMAIL PROTECTED] writes: This was fixed a month or two before potato was released. I've seen those too, on up-to-date woody, so I don't think it really got fixed. To clarify this, the logging of the message does not indicate a problem. If the attack had succeeded, rpc.statd would have most likely have crashed before it finished writing to the syslog (I think... don't quote me on that). It will certainly continue to log the attack in this annoying manner. Potato and woody are not vulnerable. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what is on port 13223
On Wed, Oct 11, 2000 at 10:11:31PM -0800, Ethan Benson wrote: Does anyone know what port 13223 is? today i have been getting a massive number of connection attempts to that port from several different addresses. -- Ethan Benson http://www.alaska.net/~erbenson/ Probably some current trojan. Maybe a sub7 variant? There's a trojan list on the web somewhere. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: php3 security update breaks imp webmailer
On Fri, Oct 20, 2000 at 04:39:39PM +0200, Thomas Gebhardt wrote: Hi, I got this response from the IMP mailing list: Chuck Hagenbuch [EMAIL PROTECTED] : Unfortunately, 3.0.17 is broken - it's nothing to do with IMP, except that we happen to hit the broken functionality. The PHP folks know about it, and hopefully. 3.0.18 will be out soon. Yep, so I've gathered. I'll do a new security upload when this happens. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org mirrors?
On Fri, Oct 20, 2000 at 01:32:54PM +0300, Mikko Kilpikoski wrote: Hi. I'm unable to reach security.debian.org or nonus.debian.org and can't find a mirror for security.debian.org. Is there any? Where? Can I trust it/them? Oh, and does it contain the security fixes for nonus packages (if any)? I believe it is a matter of trust and of instant distribution; we can provide uploads to everyone using the security site in a very limited amount of time. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org mirrors?
On Sun, Oct 22, 2000 at 06:37:42PM +0200, Florian Friesdorf wrote: On Sat, Oct 21, 2000 at 03:50:18PM +0200, Wichert Akkerman wrote: Previously Florian Friesdorf wrote: What are the differences between http://http.us.debian.org/debian dists/potato-proposed-updates/ and http://security.debian.org potato/updates main contrib non-free ? One is updates that might make it into a revision of potato, and the other are verified security fixes. ok, please correct me if I'm wrong. - security fixes wil make it sooner or later into proposed-updates That's the principle, yes. - to get security fixes as fast as possible I use security.debian.org Yep. - new features only appear in proposed-updates Generally (when possible), yes - I should use potato security fixes with woody Well, it's safe to list it as an apt source, and there will occasionally be things available there before in unstable. But fixes also tend to go straight into unstable. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: task-unstable-security-updates?
On Mon, Nov 20, 2000 at 08:21:10AM -0500, Itai Zukerman wrote: It would be very helpful if there was a pseudo-package that conflicted with packages that have known security problems that have been fixed in a later version. That way one could do a regular 'apt-get install task-unstable-security-updates' and cause the upgrade of all the conflicting packages that are currently installed on your system. Seems like a great idea to me. If the BTS had a "security" tag, then this could be done automatically. A quick look through the debian-devel archives, and I can't find discussion of this tag. Was there some reason it wasn't introduced? Most of our security fixes are never filed as bugs - and can not be. The BTS is public, and preliminary security advisories are not. Filing them after they are publicized is, on the whole, redundant. Is that possible? Would the security team be willing to maintain such a pseudo-package? Not really. Our priority is stable; security fixes make it to unstable somewhat haphazardly, especially for more obscure architectures. The maintenance cost on something like this is prohibitively high. The answer is just to watch one single list - debian-security-announce. That's what it's for :) I'm not sure I understand the reasoning here. If the answer is to watch the debian-security-announce list, then what prevents someone watching the list from maintaining the proposed virtual package? The problem is that, for one thing, maintaining this package usefully requires getting all fixes compiled on all architectures for unstable. That's impractical; we do the best that we can, but it's too time consuming and too complicated, especially given the quirks of some of our architectures. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Problems with root on network clients
On Fri, Nov 24, 2000 at 01:08:14PM -0400, Brad Allen wrote: erbenson NFS is insecure, deal with it. Such as use something besides NFS that is secure; the options are thin and immature, but you may still look around because I have a feeling there may be a good match, if you're willing to sacrafice admin time to the task. For instance, I'm curious if CODA has played this trick. They talk about distribution, security, etc. Plus, administration of local disk caches could become really easy with CODA -- 4GB disk cache, now that's nice; it's as if you only really have one machine in some administrative senses. Now, somebody tell me if I'm wrong. There is a whole page of Linux filesystems besides EXT2 and NFS out there someplace. Find it and take a good research if you have the time. If you're willing to invest the time to learn it properly, I recommend AFS as a solution. The linux port is a little immature, but coming along surprisingly well. See www.openafs.org for (not much) more information, and: deb http://www.mit.edu/afs/sipb/project/openafs/debian packages/ for some preliminary packages. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian audititing tool?
On Tue, Dec 26, 2000 at 09:27:53PM +0200, Pavel Minev Penev wrote: On Tue, Dec 26, 2000 at 05:27:07PM +0300, [EMAIL PROTECTED] wrote: Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for binaries. Tampering with MAC database is useless. ... [1] Message Authentication Code. One of possible ways to compute MAC is H(K,H(K,M)) where H is one-way hash function (MD5 or better SHA), K is key, M is message (protected binary). Hey, I'm not very good at crypto; however, I was wondering what prevents the intruder from regenerating the MAC data-base (and what is the point of the double hashing you have stated as "H(K,H(K,M))"?). The Book (Bruce Schneier, "Applied Cryptography"): Alice concatenates K and M, and computes the one-way hash of concatenation: H(K,M). This hash is the MAC. Since Bob knows K, he can reproduce Alice's result. Mallory, who does not know K, can't. This method works with MD-strengtheninig techniques, but has serious problems. Malory can always add new blocks to the end of message and compute a valid MAC. This attack can be thwarted if you put the message length at the beginning, but Preneel is suspictios of this scheme. It is better to put the key at then end of message, H(M,K), but this has some problems as well. The following constructions seem secure: H(K1,H(K2,M)) H(K,H(K,M)) H(K,p,M,K), where p pads K to full message block. Sorry if off-topic (though a nice critical note would be fine). And don't forget to be gay (at least on Christmas), -- Pavel M. Penev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- dg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rpc.statd attack?
On Tue, Jan 09, 2001 at 12:31:59PM -0800, [EMAIL PROTECTED] wrote: I got the following (alarming) messages on syslog: Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8 x%236x%n%137x%n%10x%n%192x%n\220 it looks like an attack (specially when I see /bin/sh hidden in there). I searched the lists and it seems that this problem should have been corrected before potato was released. Any reason for worries, or is there any reason why I should think it was an unsuccessful attack? If it had been a successful attack, the %x and %n's in the above would not have come through to syslog; it would have crashed well beforehand. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Disappointment in security handling in Debian
On Thu, Feb 01, 2001 at 02:12:40PM +0100, Mathieu Dessus wrote: This is not directly related to this thread, but this post reminds me that generally the translations pages of Security Information page ( http://www.debian.org/security/ ) are generally not up to date. And with the automatic switch to the page corresponding to your languange's preference, I've been fooled several times, thinking that Debian security was not up to date. What about adding a link to the original version with an warning or simply disabling automatic swicthing language for this page ? The web people tell me that this was a bug in the automatic regeneration of the web pages; it should be fixed. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to use apt to install security updates ?
On Sun, Feb 11, 2001 at 06:14:39PM +0100, Christian Schlettig wrote: Hello, I'm new to the list and I've just read the security.debian.org page and inserted the "deb http://security.debian.org/ slink updates" line to my /etc/apt/sources.list. When i run apt-get update i'll get the following output: :/home/user# apt-get update Get:1 http://security.debian.org slink/updates Packages [19.4kB] Get:2 http://security.debian.org slink/updates Release [105B] Fetched 19.5kB in 3s (5958B/s) Reading Package Lists... Done Building Dependency Tree... Done and nothing else. I'm using the original files from somewhere October so i'm wondering why there are no new packages for me ?! What am i doing wrong. Are you really running slink? We don't support that any more; you should upgrade to potato, which has been out since last August. The web page does not reference slink any more... Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Food for thought - SECURITY (design flaw?)
On Mon, Feb 12, 2001 at 10:43:33AM -0200, Carlos Carvalho wrote: Andreas Tille ([EMAIL PROTECTED]) wrote on 12 February 2001 11:32: IMHO people of security team shouldn't spend their time to serve security fixes for testing. People who want to use testing on security relevant machines should know what they do and should be able to handle those issues themselves. Those hazardeurs could try to fix important bugs of the package which is stick to unstable for whatever reason which would help the whole distribution or backport the stuff themself. What's the purpose of testing exactly? If it's a preparation for becoming stable it should obviously include the security fixes, otherwise when the transition testing - stable happens you're... If it's not a preparation for stable it has no purpose. It is preparation for becoming stable, but not "on half a moment's notice". Security fixes go into unstable and trickle into testing. The principal, I think, is that we can throttle the packages being allowed into testing for an easier release cycle. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure install
When you clone mirrors you usually have to take some steps. Typically, depending on your mirror, you need to break the mirror and clone each side seperately. Someone told me this was because of drive signing or some other thing, but I'm not sure if that's the truth. From: Carel Fellinger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: secure install Date: Sun, 18 Feb 2001 03:38:24 +0100 On Sat, Feb 17, 2001 at 02:14:44PM -0500, Steve Robbins wrote: On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: ... The disadvantage of this command is that it doesn't preserve hardlinks. Really? Mine preserves hard (and soft) links. strange...reading...hm it says it does...trying...and it does, how come? I'm sure that just days ago whilst copying my mirror with cp -a to a new drive the size of the new mirror exploded, but using good old tar the size of the new mirror was about the same as the old mirror. I think I checked some hardlinks, and sure enough they had vanished, but in the light of this new test I'm not so sure anymore. Anyway, cp -a seems to work. -- groetjes, carel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Linux 7???
How exactly did you get hacked? Did you leave security wholes large enough for a bus to drive through open? Open your inetd.conf file and # out everything! The only thing you need open is port 22. Others will disagree, but depending on what you server is used for, this should be your first step for security. From: Steve Rudd [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Debian or Linux 7??? Date: Mon, 19 Feb 2001 18:12:29 -0500 Hi! I am frustrated with the linux 2.2 kernel. I have had two hacks in 3 months and I am going broke rebuilding my server. I went out and bought Redhat 7, and got hacked 6 weeks later. I have been placed in contact with a guy who wants me to use Debian. But if it based upon the same kernel as redhat, how is it going to be more secure? I checked and found that from (http://www.securityfocus.com/) Security risks for years: 1997-2000 respectively: Debian 3, 2, 32, 45, 12 RedHat 6, 10, 49, 85, 20 So Debian is about twice as good as redhat, but that is not real reassuring. I am considering joining the debian family, but am a bit concerned about security. Just how much more secure is Debian than redhat? Thanks! Steve Rudd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: secure install
You know, Ghost 2001 supports the ext2 partition on certain versions of Linux. It doesn't officially support Debian Linux, but I've cloned my Debian laptop and my Debian desktop many times. From: "Thor" [EMAIL PROTECTED] To: "Zak Kipling" [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: secure install Date: Sat, 17 Feb 2001 14:49:03 +0100 Hi On Sat, 17 Feb 2001 [EMAIL PROTECTED] wrote: i am sure that is note the case, the only requirement is that the target media is the same size or larger? Indeed. Most filesystems, including ext2, are independent of the disk geometry. So you can "dd" _partitions_ (eg /dev/hda1) from smaller to larger disks, then add additional partitions if you want to take advantage of the extra space. The geometry is only relevant is you want to "dd" entire disks (eg /dev/hda). Alternatively you can tar the whole system -- and in effect we are talking about "cloning" an entire disk from an installed system to n other systems. Speak for cloning a single partition then i suggest a simple 'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' the 'a' stand for archive (recursive and same permission) and with the 'x' the copy don't go out the indicated filesystem. you can find the same suggestion in How-To/Large-Disk --- ;---+---; bye | bye |hor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Benign crackers?
You wouldn't actually imply that hackers are out their providing a welcome
service do you? I can see if you asked for your network to be stress
tested, but to go as far as saying they provide a welcome service? Come on!
Yeah, they might have found a security whole, but oops, now the firewall
admin is out of a job. People should constantly strive to secure their own
boxen, we don't need hackers to do it for us.
From: "A. L. Meyers" [EMAIL PROTECTED]
To: Steve Rudd [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Benign crackers?
Date: Wed, 21 Feb 2001 08:21:02 +0100 (CET)
-BEGIN PGP SIGNED MESSAGE-
On Tue, 20 Feb 2001, Steve Rudd wrote:
Daniel Stark asked:
At 01:53 PM 2/20/01 -0800, you wrote:
How exactly did you get hacked? Did you leave security wholes large
enough for a bus to drive through open? Open your inetd.conf file and
#
out everything! The only thing you need open is port 22. Others will
disagree, but depending on what you server is used for, this should be
your first step for security.
Steve here,
Several have voiced an interest in the hack. Well here is a guess and
some
facts:
THE HACK:
For those interested in the hack, I think it was the "Dameon worm" but
could not find any evidence of the trace files on my system. Here is
what
happened:
1. I get a letter from "[EMAIL PROTECTED]" saying: "Urgent! Security
incident on your machine! Attrition.org is a non-profit, hobby web site
that monitors
computer crime on the internet. In the past few minutes, we
have been notified that your domain was hacked, and your web
page defaced. This means that the intruder has edited your
web page in some way. Due to this, it is quite likely that
one or all of the machines on your network are compromised.
You may wish to take immediate action to correct this problem
and respond to the intrusion."
2, I noticed my clock went forward maybe a day and had to reset it via
"date" command.
3. I notice a single page was changed: "index.html"
Here is the code from that page:
!-- BEGIN Naviscope Javascript --
script language='javascript'
NS_ActualOpen=window.open;
function NS_NullWindow(){this.window;}
function NS_NewOpen(url,nam,atr){return(new
NS_NullWindow());}
window.open=NS_NewOpen;
/script
!-- END Naviscope Javascript --
html
head
title..:: Quit Crew ::../title
/head
body bgcolor="#FF"
center
OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-44455354"
codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0"
ID=devil WIDTH=731 HEIGHT=562
PARAM NAME=movie VALUE="qc.swf"
PARAM NAME=loop VALUE=false
PARAM NAME=quality VALUE=high
PARAM NAME=bgcolor VALUE=#FF
/OBJECT
/center
/body
/html
=
end code
4. I have noticed nothing other than these changes.
So there you have it. I didn't even ever get to see what the flash was
all
about it just loaded forever without anything. You know for all my
trouble,
I should have at least got some free artwork!
Steve
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
Dear fellow debianites,
To dispel any doubts, I would not even know how to start a crack
attempt.
There seem to be more and more "benign" hackers and crackers on the web
who might even be a "blessing in disguise". If all they do it crack
sites without damaging anything and afterwards inform the sites, they
might just be performing a very valuable service.
My own experience is that no one believes he is vulnerable until he has
experienced a real security breach or worse. People in general seem to
prefer to remain blissfully unaware of internet security risks. Even
pursuading clients to download pgp and use it to transfer confidential
information encrypted is not easy.
Best regards,
Lucien Meyers
-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOpNsZYsavovzoIkNAQGLbAQAgjvixxb5CZuEQaso96iNTJCne9t3rVkN
52r7aHqfvGSzHcA64KDWBMv/59aNLDa/OqggJrTdPVIwXAyXTjFbc2jpPEmLD3fk
bsChFH3Zb0xAz537BBbpMRLeCcdvCHqQEyEDQB+WJz4mFt+8ET9N9xqnMIFCJ3Xn
TsLjeB2SlhM=
=XOB8
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
_
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Anti Virus for Debian
You're talking about removing viruses though. I'm talking about preventing them. Anybody can manually remove a virus from a Windows machine, it's really easy. I can even remove W95.MTX (The Matrix) virus in 5 minutes. I'm not sure of any network admin that wants to spend their time removing viruses though. I think the easiest way to go about virus safety is just make it more difficult to get a virus. Thus disabling scripting. Of course many of Microsoft's auto updates are kind enough to enable it again. That's why you use a program like Autoinstall to role out your updates. ;) From: "Magus Ba'al" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Anti Virus for Debian Date: Wed, 21 Feb 2001 09:32:28 -0700 After ILOVEYOU first came out and AV vendors didn't have a fix for it, we had to figure out a way to quickly disable the virus. So I spent 5min finding the reg key and writing 2 scripts to make the default action Edit, instead of Open, and another in reverse, make the default action Open instead of Edit. I wouldn't suggest renaming wscript.exe, jscript.exe or csscript.exe, as Critical Updates, Repairing, or Upgrading IE will just put those files back in place. The javascripts are attached, take a peek and see if they fit the bill. If not, at least you still have the option to quickly disable VBS scripting :) -Original Message----- From: Daniel Stark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 9:12 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Anti Virus for Debian Speaking of Windows and *.vbs attacks. What you should really do is disable the scripting host on all of your Windows machines. For those of you who don't know, you can just rename "wscript.exe" "jscript.exe" and "cscript.exe". There's a good chance you'll only have one of them. From: Bradley M Alexander [EMAIL PROTECTED] To: Mario Zuppini [EMAIL PROTECTED] CC: Matthew Sherborne [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Anti Virus for Debian Date: Mon, 19 Feb 2001 23:35:01 -0500 On Tue, Feb 20, 2001 at 01:59:20PM +1000, Mario Zuppini wrote: I would also like to know of virus scanners especially for mail servers ie sendmail that will work on a SPARC ??? there are a few that work under i386 ie like amavris etc can be found on freshmeat.net but nothing will work under a sparc As a quick and dirty option, you can use procmail to filter. Depending on your security posture and thread environment, you can filter on multi-extension vbs files (e.g. AnnaKournikova.jpg.vbs), all VBS files, exe files, or any combination. You could filter them to a quarantine area, then peruse them at your leisure. You should combine this with turning off auto execute of attachments on all of your windows boxen. -- --Brad === = Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] === = Those who trade liberty for security have neither. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] VBSscripts.zip _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how secure is mail and ftp and netscape/IE???
Yes, you should be concerned. Now-a-days most people are using SSH for all communication. It's really the way to go for remote access. Take a look at openssh.com for some more information. Plus it's free, and we like free. ;) From: Steve Rudd [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: how secure is mail and ftp and netscape/IE??? Date: Wed, 21 Feb 2001 15:13:43 -0500 Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the "hackers watchdog" group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how secure is mail and ftp and netscape/IE???
I ssh from my Windows 2000 machine at work to my Debian machine at home. You just need the proper client. There are free ones out there for Windows. From: Adam Spickler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: how secure is mail and ftp and netscape/IE??? Date: Wed, 21 Feb 2001 15:40:05 -0500 What about if you are going from a Windows box to a *nix box. Is there any way to do secure ftp transfers. Mail, for me is no problem. I ssh into my machines and use "Mutt" to deal with email. ...adam On Wed, Feb 21, 2001 at 05:29:11PM -0300, Pedro Zorzenon Neto wrote: Hi Steve, About sending plain text password and files with telnet and ftp: uninstall your 'telnetd' and 'ftp server' and install 'ssh' ssh is real secure and has two usefull commands: 'ssh' is a substitute for telnet and 'scp' is not the same thing, but substitutes ftp with some advantages read their manuals and compare. Bye Pedro On Wed, Feb 21, 2001 at 03:13:43PM -0500, Steve Rudd wrote: Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the "hackers watchdog" group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - Adam Spickler Whaddu LLC. http://www.whaddu.com WebHosting and Design/Development Unlimited - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Applications using Linux capabilities
On Thu, Mar 22, 2001 at 10:36:43AM +0100, Alexander Reelsen wrote: Hi folks I'm currently collecting a list of applications which make use of the capabilities introduced in Linux 2.2. However this list is quite short and I'm wondering whether I am searching wrong or the capabilities aren't advocated enough yet or just not used as they're bad or whatever (huge "huh?" here from my side). So if anyone has a application to add to this list, please tell me so. Incredibly long list of apps: - proftpd - xntp3 w/patch (just keeps CAP_SYS_TIME, drops uid 0) Vsftpd does, too. I'm fairly sure there's a lot more - you can access them through PAM somehow, I think... -- Daniel Jacobowitz Debian GNU/Linux Developer Monta Vista Software Debian Security Team "I am croutons!" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rpc.statd
On Sun, Apr 08, 2001 at 06:04:54PM -0400, Robert Bartels wrote: I saw this in my logs today. Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for ^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\2! 20\220\220\220\220\220\220\220\220\220 It looks like statd is still running. Is rpc still vulnerable? Is there a Nope, you're safe if you saw the % signs in your logs. way to track down who connected to rpc.statd? Run a tcp logger, like ippl. -- Daniel Jacobowitz Debian GNU/Linux Developer Monta Vista Software Debian Security Team "I am croutons!" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: setting up sudo for tail
On Thu, Apr 12, 2001 at 01:10:17AM +, Adam Olsen wrote: And for the record, is there any way to get sudo working? No, not really. What you would have to do would be write a wrapper script which verifies that all arguments are sane. Deny lists in sudo are known to be mostly a non-feature. -- Daniel Jacobowitz Debian GNU/Linux Developer Monta Vista Software Debian Security Team "I am croutons!" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security in a shell that starts ssh
On Wed, Jun 13, 2001 at 10:57:08AM -0500, Steve Greenland wrote:
Tim, good fixups, a few C coding/style nitpicks:
On 12-Jun-01, 17:57 (CDT), Tim van Erven [EMAIL PROTECTED] wrote:
#include stdio.h
#include unistd.h /* For execlp */
#include stdlib.h /* For exit */
int main()
int main(void) /* () != (void) in C */
{
char name[21]; /* Should be macro (#define NAMELEN 21) */
printf(Login as: );
fflush(stdout);
if(fgets(name, 21, stdin)) {
/* if(name[strlen(name) - 1] != '\n') */
if(name[strlen(name) - 1] != '\n') {
Possible access to unallocated memory if \0\n supplied as input.
fprintf(stderr, Username to long.\n);
/* else { */
} else {
name[strlen(name) - 1] = '\0';
execlp(/usr/bin/ssh, ssh, -l, name, foo.foo.es, (char *)0);
}
}
/* return 0; */
exit(EXIT_SUCCESS); /* return doesn't call atexit() registered functions,
which doesn't apply in this case, but it's a good
habit to get into */
Wrong comment. Returning from main _does_ call atexit() registered
functions.
}
You also should should make sure name doesn't contain any spaces: as
written I can pass additional options to ssh. Also, for this kind of
application you really ought to be checking the error conditions for
*every* library call.
Spaces and other shell metacharecters are irrelevant in this case, since
executed command won't undergo shell interpretation.
--
dg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security in a shell that starts ssh
On Wed, Jun 13, 2001 at 02:02:10PM -0500, Steve Greenland wrote: [snip] I'd still argue that exit(_macro_) is better style than return from main(), but I'm hard pressed to find a technical argument. There's subtle difference between returning from main and calling exit. Excelent explanation is in C-FAQ 11.16 http://www.eskimo.com/~scs/C-faq/q11.16.html. -- dg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Proxy arp or bridge ?
On Monday 02 July 2001 18:25, you wrote: ipmasquerading? No, they have public ip's and I would like to keep this setting. The clients config should not change at all. Daniel _ Daniel Faller Fakultaet fuer Physik Abt. Honerkamp Albert-Ludwigs-Universitaet Freiburg Tel.: 0761-203-5875 Fax.: 0761-203-5967 e-mail: [EMAIL PROTECTED] URL:http://webber.physik.uni-freiburg.de/~fallerd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: shared root account
Just a friendly Jedi Knight wrote: On Fri, Jul 06, 2001 at 01:19:24PM +0300, Juha Jykk wrote: I distrust allowing root logins from anywhere but local console(s) or non-modem gettys i.e. from anywhere over the not-owned-by-me cable. umm do You want to run in circles from one machine to another? ;o)) if not than You need to remotely logon somehow, right? i think that ssh'ing into the machine and than than su'ing to root is no different than ssh'ing directly as root into that machine... (well when You do a su You leave a trace in logs of that fact, while You are directly ssh'ing into there is no info in logs on who actually logged on as root; there is some patch to at least partialy fix the latter and it was mentioned on debian-devel i think) Disable every direct root login altogether (suppress root's password) and add anyone who needs root access to your /etc/sudoers file (if necessary, apt-get install sudo, of course). Need a root shell? sudo bash, and you're using only your own password ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port 6000/X11 Won't Close!
vexation wrote: I use debian 2.2 (woody/unstable) with kernal 2.4.7, i use login.app to login to X. I believe i have the --no-listen command set. However, no madder what i do port 6000 still remains open. I really want to close this port for security reasons! can someone please help me?! - Thank you! Try running X -nolisten tcp. HTH, Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rpc.statd being attacked?
On Tue, Aug 21, 2001 at 01:28:24PM -0700, Daniel Schepler wrote: I've gotten logs several times that read something like Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error for ^X F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FF BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n% You're safe. It was fixed before potato; it would not have been logged if it had succeeded. -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt sources.list
On Tue, Aug 21, 2001 at 09:36:02AM -0700, Jeff Coppock wrote: Can I get a few recommendations on the proper sources.list for a system running woody, that includes the security updates? I recently did an apt-get update apt-get upgrade and the security updates cause dependancy issues that I couldn't recover from and made my system unbootable, since lilo was involved. I'm scared to death to run another update/upgrade since I had to rebuild the system from scratch! As others have said - don't do this :) If security is especially important to you, run stable with security updates, or track unstable daily and hope maintainers are responsive. We try to see that woody is in coherent shape just before release, but we can't supply fixes for it on any more urgent basis. It moves too fast. -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
No Subject
unsubscribe [EMAIL PROTECTED]
Re[2]: Port Scan for UDP
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 also netstat -n -p -t --listening | grep :PORT VD Hi, VD On Sat, Oct 20, 2001 at 09:22:57PM -0700, VD tony mancill [EMAIL PROTECTED] wrote: On Sat, 20 Oct 2001, Marc Wilson wrote: Adding or removing lines in /etc/services doesn't open or close ports... this is a common misconception. Removing what's listening on a particular port is what closes that port. A good way to find out what process is listening on a port is to load the lsof package and use lsof -i (as root so that you'll see everything). VD You can also use netstat -pan to find out which process is listening on VD which port. VD regards, VD Volker -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAO9LuA8w1CXXrWGBbAQHHfwQAnnPo0f/RkZMaQk4S40qKjciv+YG+vOMw JHP5c6JVGyrwIVq51v0lNGjIFRzg/jXkuVBNfIoDhDXvNwbzoy30r+KG0jAYRmWX eoTdQzcd3MayOEhENei+ON67g6Ndw8lLW35gTXuSuGPkuAUqZCqYIwDJkVkPR3j4 bCSwXXX4FS8= =6XxD -END PGP SIGNATURE- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Rspuns: How do I disable (close) ports?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well,111 is the portmap port..carefully,its a gate for intrusion with rpc attacks.. you must disable portmap. try something like update-rc -f remove portmap or update-rc -f portmap remove i forgot.. if that doesn work try blocking ports vias ipchains with something like /sbin/ipchains -s 0/0 -d MY_MACHINE_IP 111 -p tcp -j DENY -l cya Petre L. Daniel Linux Administrator,Canad Systems Pitesti http://www.cyber.ro email:[EMAIL PROTECTED] phone: +4048220044,+4048206200 - -Mesaj original- De la: J. Paul Bruns-Bielkowicz [mailto:[EMAIL PROTECTED]] Trimis: Tuesday, December 04, 2001 12:18 PM Ctre: [EMAIL PROTECTED] Subiect: How do I disable (close) ports? Hi, I disabled all but a few ports in /etc/services, but I have tcp0 0 pa237.olsztyn.sdi.t:111 80.116.215.37:1064 ESTABLISHED when I netstat my machine. What exactly does this mean? I just want 25/tcp opensmtp 37/tcp opentime 66/tcp opensql*net 80/tcp openhttp 110/tcpopenpop-3 443/tcpopenhttps 3306/tcp openmysql open. How can I close ports 111 and 859? They are not enabled in /etc/services Thanks, J. Paul Bruns-Bielkowicz http://www.america.prv.pl - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPA3VnSVopXqImSTYEQLWmACfeHFgiD5RXNVZlkTQR2TzJqAEiAAAn2Rl dDQS28W+nY02Y6QyAN+NwrOU =XZqf -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Debian GNU/Linux 2.2r3 vulnerabilities ?
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 Heya, I run a potato at home and i will set the computer at work with potato as well.Since that will be a 24h internet connected pc,i am wondering what are the 2.2 release 3 vulnerabilities for the sistem installed from the cds without any online update. Is the ssh package in potato vulnerable? I'd appreciate it if you can give me some urls. thx, Dani, hackers unsupport. -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAO9d5bcw1CXXrWGBbAQED7gQAmoKv0NVCTKa2MuEiPcVBHg27TMu58WCa IcmoCDe9BAgq9VDQUENPzlRiFceFQQkK1skoO0+sCn8I4SXu+cO2vdVuaPyHtdlg UpLpI5mx0BBYavLmQ1AmdUp0z4aTFkpMneTiXV1GEwvz6xzFXGRFqBkNbQGOnvvO bjMyDw60aT4= =wDVj -END PGP SIGNATURE- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
What this means in my logs?
Heya,i got those lines often lately..Can anyone explain me every little part of it? If you can drop an url link too,it would be great.. Thank you. Nov 30 16:16:28 brutus-gw kernel: Packet log: input DENY eth1 PROTO=6 210.86.20.213:1621 194.102.92.21:6000 L=48 S=0x00 I=52039 F=0x4000 T=102 SYN (#1) c yah, Dani. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Exim mail
How do I stop this from happening. Apparently my bud telented to port 25 and somehow sent mail from my root account. Any suggestions, white papers or links? Id would like to block the telnet application all together, but I dont think thats possible. Thanks in advance, Daniel im a newbie so please send flame mail to [EMAIL PROTECTED]null thanks. Heres what he sent to me... - Original Message - From: [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 10:03 PM hehe this wasnt so hard either, i guess that makes me a pimp? lmfao, anyway learn to call a brotha damnit! and dont act like you dont know who dis be! foo! hehehe later.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail
Thanks for the reply on this. I just found the header info. It does appear that he sent it from a remailer. Thanks again, Sorry for the stupidity. Envelope-to: [EMAIL PROTECTED] Received: from rly-ip02.mx.aol.com ([152.163.225.160]) by earth.rychlik.ws with esmtp (Exim 3.12 #1 (Debian)) id 16Ejkt-0003kp-00 for [EMAIL PROTECTED]; Thu, 13 Dec 2001 22:15:27 -0600 Received: from logs-tn.proxy.aol.com (logs-tn.proxy.aol.com [152.163.207.5]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id XAA01462 for [EMAIL PROTECTED]; Thu, 13 Dec 2001 23:06:10 -0500 (EST) From: [EMAIL PROTECTED] Received: from AC952543.ipt.aol.com (AC952543.ipt.aol.com [172.149.37.67]) by logs-tn.proxy.aol.com (8.10.0/8.10.0) with SMTP id fBE430X219986 for [EMAIL PROTECTED]; Thu, 13 Dec 2001 23:03:29 -0500 (EST) Date: Thu, 13 Dec 2001 23:03:29 -0500 (EST) Message-Id: [EMAIL PROTECTED] X-Authentication-Warning: logs-tn.proxy.aol.com: AC952543.ipt.aol.com [172.149.37.67] didn't use HELO protocol X-Apparently-From: [EMAIL PROTECTED] Bcc: Status: hehe this wasnt so hard either, i guess that makes me a pimp? lmfao, anyway learn to call a brotha damnit! and dont act like you dont know who dis be! foo! hehehe later.. - Original Message - From: Jamie Heilman [EMAIL PROTECTED] To: Daniel Rychlik [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 14, 2001 6:33 PM Subject: Re: Exim mail Daniel Rychlik wrote: How do I stop this from happening. Apparently my bud telented to port 25 and somehow sent mail from my root account. Any suggestions, white papers or links? Id would like to block the telnet application all together, but I dont think thats possible. He didn't use your root account, he used the nature of SMTP to trick you. http://rfc821.x42.com/ And no, you can't block telnet, unless you choose to not run a mail server at all. -- Jamie Heilman http://audible.transient.net/~jamie/ Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution. -Sathington Willoughby -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail
- Original Message - From: Thomas Hallaran [EMAIL PROTECTED] To: Daniel Rychlik [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, December 14, 2001 6:53 PM Subject: Re: Exim mail spoofing mail: telnet to port 25 on machine you want to spoof through. 1.Type 'mail from: [EMAIL PROTECTED]' (address you want to send mail as) 2.Type 'rcpt to: [EMAIL PROTECTED]'(person you are sending mail to) 3.Type 'data' 4.Type 'whatever you want , ending with a period on its own line.' 5.Type quit Thomas Hallaran,THANK YOU! Knowledge is power, difficult to find if you dont have direction. Once again, thank you... here is the smtp rfc: http://www.ietf.org/rfc/rfc0821.txt here is a primer on fake email: http://scipp.ucsc.edu/~mothra/support/fake_email.html here are dos on securing sendmail: http://mail-abuse.org/tsi/ar-fix.html Tom Hallaran Informatics Washington University Genome Sequencing Center 314-286-1114 [EMAIL PROTECTED] On Fri, 14 Dec 2001, Daniel Rychlik wrote: How do I stop this from happening. Apparently my bud telented to port 25 and somehow sent mail from my root account. Any suggestions, white papers or links? Id would like to block the telnet application all together, but I dont think thats possible. Thanks in advance, Daniel im a newbie so please send flame mail to [EMAIL PROTECTED]null thanks. Heres what he sent to me... - Original Message - From: [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 10:03 PM hehe this wasnt so hard either, i guess that makes me a pimp? lmfao, anyway learn to call a brotha damnit! and dont act like you dont know who dis be! foo! hehehe later.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail
- Original Message - From: Brian P. Flaherty [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 15, 2001 8:41 AM Subject: Re: Exim mail Daniel Rychlik [EMAIL PROTECTED] writes: How do I stop this from happening. Apparently my bud telented to port 25 and somehow sent mail from my root account. Any suggestions, white papers or links? Id would like to block the telnet application all together, but I dont think thats possible. I may be wrong, but from your email headers, it looks like you are mailing from a computer connected via dsl. Are you running an smtp server for yourself (i.e., internal mail, getting mail from external source and sending via an exim smarthost) or are you actually supposed to be relaying mail for other machines? Yes, im running a smtp server along with pop3. I wanted to host my own domain, email, and whatever else. . My debian machine is running NAT and is a firewall for my internal machines. Im learning the basics of security and want to make it as secure as possible. I dont have extra hardware lying around so my debian server is also running apache. My wife likes building webpages and such so I thought, cool why not... I am connected with DSL and retrieve mail from three different sources. I run fetchmail to get it and exim to send it out. Exim is configured to send mail for the localhost only and it passes it all out to my smarthost. Also, ipchains blocks all smtp traffic, except from the smarthost. And finally, I have telenetd running from xinetd.conf, but it is bound to my internal NIC, so there isn't an open telnet port on the internet. Maybe a configuration like this would work for you? No telnet or ftp traffic for me, only 22,25, and 80... Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with IPTables
- Original Message - From: Bender, Jeff [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 17, 2001 12:08 PM Subject: Problem with IPTables I am having troubles with IPTables. My rules are having troubles with handling -m state --state ESTABLISHED options. The error I get is iptables: No chain/target/match by that name. Any ideas? Here is my script below. # http://www.cs.princeton.edu/~jns/security/iptables/index.html # Prepared by James C. Stephens # ([EMAIL PROTECTED]) #!/bin/bash # # These lines are here in case rules are already in place and the script is ever rerun on the fly. # We want to remove all rules and pre-exisiting user defined chains and zero the counters # before we implement new rules. iptables -F iptables -X iptables -Z Ok, the iptables -X rule needs a chain it can call on. You have to supply a name for that chain. example iptables -X (foo) then on your rule set you can call that custom chain that you have made. Basically whats happening is Iptables is looking in its defualt directory for a special chain that doesnt exist. You have to create it.. No biggy, just looks like you need to set that option here... # Set up a default DROP policy for the built-in chains. # If we modify and re-run the script mid-session then (because we have a default DROP # policy), what happens is that there is a small time period when packets are denied until # the new rules are back in place. There is no period, however small, when packets we # don't want are allowed. iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT For a more secure rule set you need to set these to DROP. ESPECIALLY THE FORWARD RULE! What can happen here is someone can use your server to spoof their own ip... So im told.. ## === ## Some definitions: IFACE=eth0 IPADDR=209.150.196.220 LO=lo NAMESERVER_1=209.150.200.15 NAMESERVER_2=209.150.200.10 NAMESERVER_3=64.65.128.6 BROADCAST=209.150.196.255 LOOPBACK=127.0.0.0/8 CLASS_A=10.0.0.0/8 CLASS_B=172.16.0.0/12 CLASS_C=192.168.0.0/16 CLASS_D_MULTICAST=224.0.0.0/4 CLASS_E_RESERVED_NET=240.0.0.0/5 P_PORTS=0:1023 UP_PORTS=1024:65535 TR_SRC_PORTS=32769:65535 TR_DEST_PORTS=33434:33523 ## # RULES echo Start Rules ## LOOPBACK # Allow unlimited traffic on the loopback interface. iptables -A INPUT -i $LO -j ACCEPT iptables -A OUTPUT -o $LO -j ACCEPT echo -n Allow DNS servers incoming traffic... ## DNS # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 bytes (possible, but unusual), and on certain # platforms like AIX (I am told), so you might have to add a copy of this rule for tcp if you need it # Allow UDP packets in for DNS client from nameservers. iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT I believe the command is ESTABLISHED,RELATED May want to double check that. #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT echo done bash# ./test.firewall Start Rules Allow DNS servers incoming traffic...iptables: No chain/target/match by that name done It looks like you dont really need to define a new chain. Try it out. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
/etc/passwd ?
I was wandering if I edited my /etc/passwd file and replaced all the /bin/sh to /bin/false , will that break anything? What Im seeing is accounts like lp, games, uucp, proxy, postgres, and a slew of others that I dont use. Thanks in advance Debian Guruz! Daniel
Re: /etc/passwd ?
most of them are relics of software that you probably dont need,but be carefully what account you erase. better comment them out.you can put a /etc/NOSHELL instead of /bin/sh or even /bin/false and they won't be able to login into the machine no more.. At 06:24 PM 12/27/01 -0600, Daniel Rychlik wrote: I was wandering if I edited my /etc/passwd file and replaced all the /bin/sh to /bin/false , will that break anything? What Im seeing is accounts like lp, games, uucp, proxy, postgres, and a slew of others that I dont use. Thanks in advance Debian Guruz! Daniel Petre L. Daniel,System Administrator Canad Systems Pitesti Romania, http://www.cyber.ro, email:[EMAIL PROTECTED] Tel:+4048220044, +4048206200 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Securing bind..
thank you all very much. you're right.if one doesn't have anything useful to say i'll recommand him to let others help.. thx guys. At 10:02 PM 12/30/01 +0100, jernej horvat wrote: On Sunday 30 December 2001 18:46, P Prince wrote: The eaisest and most failsafe way to secure bind is to install djbdns. If you have nothing to say - do not speak. -- Configuration options for BIND are listed on http://www.isc.org/products/BIND/docs/config/ List of URL that might be usefull is here: http://www.isc.org/products/BIND/contributions.html Cricket Liu's presentation on how to secure BIND: http://www.acmebw.com/papers/securing.pdf Securing DNS: http://www.psionic.com/papers/dns/ - acl defines hosts or networks that you can either allow or deny access version defines version number that bind answers if asked for it. (like: 'this space for rent. contact hostmaster' ;]) blackhole defines hosts or networks that bind will not answer at all. (ie.: 10.x.x.x, 192.168.x.x, 224.x) allow-recursion/allow-query defines hosts or networks that can use your server to get non-auth answers or do recursive queries. listen-on defines interfaces and ports bind will listen on. If you don't have any domains to server to the outside world, you just list the intranet (NAT) interface in here. forward only means that you will forward all request (and work ;]) to the dns servers listed in forwarders. -- BOFH excuse #57: Groundskeepers stole the root password Petre L. Daniel,System Administrator Canad Systems Pitesti Romania, http://www.cyber.ro, email:[EMAIL PROTECTED] Tel:+4048220044, +4048206200 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: faq? rpc.statd: gethostbyname error for
On Mon, Dec 31, 2001 at 09:11:41PM +0100, David Gestel wrote: What is this? I don't think anyone got in though, everything seems to be fine. I'm running woody and rpc.statd version 0.3.3 Yep. The fact that it was logged in this particular case means you're fine. -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
A Happy New Year From Romania to all of you!
Petre L. Daniel,System Administrator Canad Systems Pitesti Romania, http://www.cyber.ro, email:[EMAIL PROTECTED] Tel:+4048220044, +4048206200 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[security] What's being done?
Considering that an upload hasn't been made to rectify this root hole, why hasn't something else been done about it - regular or security NMU? One would think that this is definitely serious. Oh and BTW, Slackware released an update today. Without trolling, I can say that I was honestly surprised to note that Debian, a distro with ~850 developers and a dedicated security team, is behind Slackware on security issues. d -- Daniel Stone[EMAIL PROTECTED] WARNING: The consumption of alcohol may make you think you have mystical Kung Fu powers, resulting in you getting your arse kicked. msg05182/pgp0.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Don't panic (ssh)
Iain Tatch wrote: AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys. That's the impression I was under, too. In which case the current stable release of Debian comes with an sshd which uses protocol 1 and is therefore open to allowing remote root compromises. Just a quick precision here : you have to _disable_ v1 in order to be protected from that vulnerability. The point here is not that you have to support v2, it's that you have to disallow v1. A recent daemon allowing ssh1 connections is vulnerable. -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: dpkg-buildpackage (-rfakeroot) leaves setuid binaries
On Tue, Jan 22, 2002 at 01:11:18AM +0100, Christian Jaeger wrote: This can be a real security hole, at least when you are not aware of it (I have just discovered a working way to exploit it on one of my machines). And isn't that a bug in the package in question? :) -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
strange log.
Hello , I've got 750k of this log daily May 15 03:40:01 sm-msp-queue[16123]: STARTTLS=client, error: load verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 May 15 03:40:01 sm-msp-queue[16123]: STARTTLS=client, error: load verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 May 15 03:50:01 sm-msp-queue[16143]: STARTTLS=client, error: load verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 May 15 03:50:01 sm-msp-queue[16143]: STARTTLS=client, error: load verify locs /etc/ssl/certs/, /etc/mail/ssl/sendmail-server.crt failed: 0 what can it be? thanks, bye. mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: subscribe
makes a change not to have the un at the begining. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Netstat port list v/s PID
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I can't remember where I found this program, but it should do what you want:
http://packetspike.net/~daniel/programs/sockstat.c
On Wednesday 09 October 2002 10:36 pm, Hantzley wrote:
Hi,
Is there a way to know to which process belong a particular port? e.g.,
port 32773 - 32779, are known to be for rpc services. But to which process
do they pertain to, that's another issue?
Your comments and ideas are the most welcome.
Thank you,
Hantzley
- --
Daniel Hobe
[EMAIL PROTECTED]
http://www.nightrunner.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9pRUw3hvlKjISOQURAsQQAKDbe625XmDglsM8bNFRltNgaGqxbwCgxC0s
YAkEBFW30udL7jypg4w1UHE=
=GNej
-END PGP SIGNATURE-
/*
* SocketStat v1.0 - by Richard Steenbergen [EMAIL PROTECTED] and
* Drago [EMAIL PROTECTED]. Inspired by dreams, coded by nightmares.
*
* Advantages:
*- Nifty way to find which processes are using what sockets
*- Can be used to detect users who clone on irc, connect where they
* shouldn't (bots on non-bot servers), are running hidden servers, etc.
* Disadvantages:
*- Must be suid root in order to display sockets other then your own
*- Kinda duplicates fuser and lsof but hey we had fun writing it.
*/
#include stdio.h
#include stdlib.h
#include unistd.h
#include string.h
#include sys/types.h
#include sys/stat.h
#include netinet/in.h
#include arpa/inet.h
#include dirent.h
#include ctype.h
#include errno.h
#include pwd.h
#include grp.h
#define error(x){ fprintf(stderr, sockstat: %s\n, x); }
#define fatal(x){ fprintf(stderr, sockstat: %s\n, x); exit(2); }
#define SEARCH_ALL 0 /* Display info on all sockets */
#define SEARCH_GID 1 /* Search by a specific group/gid */
#define SEARCH_PID 2 /* Search by a specific process/pid */
#define SEARCH_PNAME3 /* Search by a specific process name */
#define SEARCH_UID 4 /* Search by a specific user/uid */
#define PROTOCOL_TCP3
#define PROTOCOL_UDP2
#define PROTOCOL_RAW1
typedef struct {
ino_t inode;
struct in_addr local_addr, remote_addr;
u_int local_port, remote_port;
u_char status, protocol;
uid_t uid;
} ProcNet;
char *states[] = {
ESTBLSH, SYNSENT, SYNRECV, FWAIT1, FWAIT2, TMEWAIT,
CLOSED,CLSWAIT, LASTACK, LISTEN, CLOSING, UNKNOWN
};
uid_t o_uid;
gid_t o_gid;
pid_t o_pid;
char buf[128], o_pname[8];
DIR *proc, *fd;
FILE *tcp, *udp, *raw;
ProcNet *NetData;
u_char o_search = SEARCH_ALL;
u_int total = 0, stattcp = 0, statudp = 0, statraw = 0;
void usage(char *progname)
{
fprintf(stderr, usage: %s [-u uid|user] [-g gid|group] [-p pid|process]\n,
progname);
exit(1);
}
int compare(const void *a, const void *b)
{
ProcNet *a_rec, *b_rec;
a_rec = (ProcNet *) a;
b_rec = (ProcNet *) b;
if (a_rec-inode == b_rec-inode)
return 0;
else
return (a_rec-inode b_rec-inode)?(1):(-1);
}
int read_tcp_udp_raw(char *buf, int bufsize)
{
static char fc = PROTOCOL_TCP;
FILE *fileptr;
change:
switch(fc) {
case PROTOCOL_TCP:
fileptr = tcp;
break;
case PROTOCOL_UDP:
fileptr = udp;
break;
case PROTOCOL_RAW:
fileptr = raw;
break;
case 0:
return 0;
default:
fatal(Program go down the hole.);
}
if (fgets(buf, bufsize, fileptr) != NULL)
return fc;
--fc;
goto change;
}
char *get_program_name(char *pid) {
char *ret;
FILE *fp;
if ((ret = malloc(8)) == NULL)
fatal(Unable to allocate memory.);
snprintf(buf, sizeof(buf), /proc/%s/status, pid);
if ((fp = fopen(buf, r)) == NULL)
goto error;
if (fgets(buf, sizeof(buf), fp) == NULL)
goto error;
if (sscanf(buf, Name: %s\n, ret) != 1)
goto error;
fclose(fp);
return ret;
error:
fclose(fp);
return unknown;
}
void display_record(ProcNet *Record, pid_t pid, char *pname)
{
struct passwd *pwd;
if (Record-protocol == PROTOCOL_TCP) printf(TCP );
else if (Record-protocol == PROTOCOL_UDP) printf(UDP );
else printf(RAW );
pwd = getpwuid(Record-uid);
pname[7] = '\0';
pwd-pw_name[8] = '\0';
printf(%-8s , pwd-pw_name);
snprintf(buf, sizeof(buf), %s[%u], pname, pid);
printf(%s%*s, buf, 15 - strlen(buf), );
snprintf(buf, sizeof(buf), %s:%u , inet_ntoa(Record-local_addr),
Record-local_port);
printf(%s %*s, buf, 21 - strlen(buf), );
snprintf(buf, sizeof(buf), %s:%u, inet_ntoa(Record-remote_addr),
Record-remote_port);
printf(%s %*s, buf, 21 - strlen(buf), );
printf(%s\n, states[Record-status - 1]);
switch(Record-protocol) {
case PROTOCOL_TCP:
++stattcp;
break;
case PROTOCOL_UDP:
++statudp;
break;
case PROTOCOL_RAW:
++statraw;
break;
}
}
void read_proc_net(void
Re: port 16001 and 111
Specifically, port 16001 is ESD (ESound) IIRC.. On Tue, 2002-10-15 at 10:55, Giacomo Mulas wrote: On Tue, 15 Oct 2002, Jussi Ekholm wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? port 16001 means that you are running gnome, and is perfectly normal. Port 111 is the portmapper, which means that there is a client connecting to an RPC based service on your computer, i.e. NIS, whatever like that. As an example, there are a few encrypted file systems which make use of NFS on localhost, like CFS and SFS. Check it out. However, by the looks of it it does not seem anything dangerous. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange access.log entries
I don't know if it's the catch on your problem, but it'll be interesting reading noless; http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0037.html On Wed, 2002-10-16 at 12:19, Simon Langhof wrote: Hi I noticed some (40 until now) strange entries in my Apache access.log. They started today at 2:43 GMT and all look like this: IP - - [16/Oct/2002:07:42:56 +0200] \xe3@ 501 - - - Only the request string changes, there are: \xe3@ 25 of this \xe3= 9 of this \xe3G 4 of this \xe3Y 2 of this They come from 9 IPs, where the last character always was the same from each IP. Is that a new worm, or an old one I missed? Simon Langhof -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: NIS
On Tue, 29 Oct 2002, Francois Sauterey wrote: HI, I'm looking for any craft to secure YP: I'm working around shadow password and yp. shadow passwords are stupid if ypcat passwd give the encripted passwords ! Well, I use (in /etc/ypserv): * : passwd.byname: port : yes * : passwd.byuid : port : yes passwd are mangled , but the ftp server, on a YP-client machine, do not recognize any user. Any solution ? If You are using ProFTPd, then using : PersistentPasswdoff in your /etc/proftpd.conf would do the trick -Daniel Lysfjord- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 193-1] New klisa packages fix buffer overflow
On Mon, Nov 11, 2002 at 06:07:40PM +0100, Martin Schulze scrawled: iDEFENSE reports a security vulnerability in the klisa package, that provides a LAN information service similar to Network Neighbourhood, which was discovered by Texonet. It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. This problem has been fixed in version 2.2.2-14.2 the current stable distribution (woody) and in version 2.2.2-14.3 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a kdenetwork package KDE 3.0.5 packages, including the fixed kdenetwork (and, by extension, klisa) packages, will start appearing on kde.org roughly Thursday evening AEST (UTC+10). I've got exams until Thursday, so no sooner. -d -- Daniel Stone [EMAIL PROTECTED] [EMAIL PROTECTED] Developer - http://kopete.kde.org, http://www.kde.org msg07685/pgp0.pgp Description: PGP signature
Re: Debian Apache Packaging - Option 4!
[CC finally changed to [EMAIL PROTECTED], whoops. Please keep editors@, or just me]. On Sat, Nov 16, 2002 at 02:01:23PM -0800, Robert Woodcock scrawled: On Sat, Nov 16, 2002 at 04:25:22PM -0500, Robert C. wrote: The Apache suexec helper is special Is special the going euphamism for buggy? Seriously, lack of configuration file functionality is something worthy of at least a wishlist bug. Not really, it's a security file: you can't change your area without recompiling. I can see the use for this: h4x0rs can't just change a config file and have a completely different suexec area, of their own choosing. -- Daniel Stone [EMAIL PROTECTED] Developer, Trinity College, University of Melbourne msg07781/pgp0.pgp Description: PGP signature
Re: Spammers using a non-existant address as return-path
That is something that Ive always wanted to know, is how to turn verify off, but alas, due to sheer laziness, I havent read up on it... On Monday 25 November 2002 15:38, Kjetil Kjernsmo wrote: Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Daniel J. Rychlik Java/Perl Developer http://daniel.rychlik.ws -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Intrusion Attempts
or use tcpwrappers and block them all together, or better yet, use Iptables and write a rule. g'times dan On Tuesday 03 December 2002 21:05, Phillip Hofmeister wrote: On Tue, 03 Dec 2002 at 09:19:28PM -0500, [EMAIL PROTECTED] wrote: Hi. Can you help me. Who do I report the above to. I have 2 firewalls running and tonight I was attacked from the same address 172 times in less than an hour. These people want banning off the net. It is certainly a violation of my privacy. A dozen times is an excuse but 172, I ask you. Please come back. You can usually find the domain associated with the ip by doing a reverse lookup: dig -x ipaddress Make sure to take the results from your lookup above and look that up to make sure they match. IE: I do this first: dig -x 127.0.0.1 and get: 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost. then I: dig localhost and I get: localhost. 604800 IN A 127.0.0.1 They match, wonderful. Now I go to www.localhost and see if they have an address to report logs of undesireables to. If not I'll: dig localhost SOA and get: localhost. 604800 IN SOA localhost. root.localhost. 1 604800 86400 2419200 604800 hmm...root.localhost, I bet you he can at least forward the email to the right person (since they are too lame to list that person on their web site). If all else fails do a whois lookup on the IP whois ipaddress and find one of the contacts listed there and bug them :) There is always an iptables blacklist you can set up and block the entire 24 (or 16, ouch) bit network if the admins do not take care of the undesireables. Regards, -- Daniel J. Rychlik Java/Perl Developer http://daniel.rychlik.ws -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Too make a long story short...
I attempted to setup my cd read write so that I could do backups, and I hosed my Debian server. You know, kernel panic well I passed some init options and I got it back up. I still would like to get my cd readwrite to work for redundantcy, Are there Debian white papers on how to do this for an IDE cd burner? I apologize in advance, I know this is a security mailing list... -- Daniel J. Rychlik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: init.d startup sequence for shorewall
networking comes up at S35 in runlevel 0 so my internet is up and there is no firewall running so far. runlevel 0 is system shutdown and halt. The network is not brought up in this runlevel. :-) Actually that seems to be a highly secure firewall...Firewalls with no power cannot be compromised via the network:-) http://www.samag.com/documents/s=1824/sam0201d/0201d.htm Halted firewalls? /Daniel -- File not found. Should I fake it (y/n)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP-SSL
Quoting Cristian Ionescu-Idbohrn [EMAIL PROTECTED]: On Thu, 19 Dec 2002, Daniel Lysfjord wrote: It seems like FileZilla[1] supports ftp-ssl.. [1]: http://sourceforge.net/projects/filezilla What about lftp? Depends: ..., libssl0.9.6, ... From man lftp(1) : lftp can handle six file access methods - ftp, ftps, http, https, hftp, fish and file (https and ftps are only avail able when lftp is compiled with openssl library). apt-cache show ftp : Description: Sophisticated command-line FTP/HTTP client programs Lftp is a file retrieving tool that supports FTP and HTTP protocols under both IPv4 and IPv6. Lftp has an amazing set of features, while preserving its interface as simple and easy as possible. Seems like it should work with ftps, but the description doesn't mention it... Anybody know about this. I don't know any ftps-servers, so I can't test if it works... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can this be considered a DoS-attack?
No, and it seems they've fixed their problem on their end. I think it hurt them a lot worse (on bandwidth) than it hurt you :) On Wed, 8 Jan 2003 19:21:45 +0100 (CET) Cristian Ionescu-Idbohrn [EMAIL PROTECTED] wrote: http://www.raycomm.com/techwhirl/magazine/technical/linux.html msg08406/pgp0.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat [EMAIL PROTECTED] wrote: Hi, This a real example : The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml In this file the DTD is refered by an absolute external link : !DOCTYPE article PUBLIC -//OASIS//DTD DocBook XML V4.1.2//EN http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd; Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get the docbookx.dtd. I can trust signed debian packages but I can't trust www.oasis-open.org. More than 18 files in /usr/share/gnome/help/ induce this download. I'am about to make bug report against scrollkeeper (for acting blindly, and dowloading the same file more than once) and against packages that provides the xml files (for using external DTD instead of provinding it)... Your opinion? Cheers, SEb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] msg08411/pgp0.pgp Description: PGP signature
Re: I'm searching for a network wide system update tool
On Sun, Jan 19, 2003, Ivo Marino wrote: I've setup apt-proxy server in my network, all Debian packages for each server in this network are downloaded from there. I think using a cron-job like cron-apt for updating security related packages automaticly on the servers not only could be a problem considering the securtiy point of view but also this could corrupt a server configuration and leave the system/service out of function. I prefer to launch manually a script which logs via ssh into each server and performs the packages update procedure. Anyone has allready written a script like the one described above or maybe knows an allready existing application which could perform this task? Thanks. Hi Ivo, Not a full solutiont, but try dsh maybe: Dancer Shell or Distributed Shell, which can replicate commands via ssh on groups of nodes/servers/etc... HTH, Daniel -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ivo Marino [EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.FreeNode.net#debian http://eimbox.org/~eimhttp://eimbox.org =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- Daniel A. Freedman [EMAIL PROTECTED], Graduate Fellow Electronic Structure Calculations, LASSP, Cornell University Free University Project: http://www.freeuniversityproject.org Help build an accredited open-admission, free-tuition online university! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about SSH / IPTABLES
On Thu, Jan 23, 2003 at 01:45:47PM +0100, DEFFONTAINES Vincent wrote: You can 1. Remove the users access to the ssh program (eg change ownership and rights of /usr/bin/ssh and create a ssh group for allowed outgoing ssh users). 2. Mount /home, /tmp and any other place users might have write access on with the noexec switch, so they can only use binaries installed (and allowed to them) on the system. 3. Kindly ask the users not to run '/lib/ld.so.1 /usr/bin/ssh' (or any executable they upload to /home, /tmp, or wherever). Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
H323 Gateways
Hi, does anyone know if its possible to setup this: Clients - NAT - Internet - NAT- Clients with iptelephony without opening your NAT servers to the world. Any software suggestions / tricks / ideas? -- Daniel
Re: VPN gateway
On Wed, May 28, 2003 at 03:36:07AM -0500, Warren Turkal wrote: I have a question that i have not been able to find a good conclusion for. Is the Freeswan stuff compatible with the cisco vpn that require user/pass logins? It's definitely not compatible on its own. I asked Cisco support, and they told me that it _might_ work when running freeswan on top of l2tp. Didn't get me much further, though. If someone else manages to figure it out, please let me know. :) Regards, Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server (fwd)
FileZilla ( http://sourceforge.net/projects/filezilla/ ) is a great FTP client for Windows that support SSL.. Quoting [EMAIL PROTECTED]: From:[EMAIL PROTECTED] To: Dariush Pietrzak [EMAIL PROTECTED] Subject: Re: recommendations for FTP server Date:Sat, 21 Jun 2003 01:09:45 + I know about SSL/TLS support in Proftp, the only problem is that few clients support it (thanks fot the link to the Woody backport). I would use it if I could find clients that are supported by multiple OSes. Are there any SSL/TLS clients for Windows, OS X or Mac 9x? Proftpd does support SSL/TLS. It's a module that comes with it, it's just not enabled by default. Some nice docs here: http://www.castaglia.org/proftpd/modules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
On Sat, Sep 20, 2003 at 12:47:21PM +0200, Robert van der Meulen wrote: Hi, I was working on a newly-installed machine for a customer who requires an ftp server. After installing vsftpd (which i *had* good experience with), I noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to 'NO' *does* allow anonymous access. Logging in using the 'anonymous' user does not work, logging in using the 'ftp' user *does* work. The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled password on all machines where I tried this and saw it working. I was only able to test this with 1.2.0-2 . If anyone here is running vsftpd on a non-anonymous box, I'd make sure to check this too. In the case of this customer (who has pretty sensitive data on his box), this could have been quite a disaster. 'funny': |Description: The Very Secure FTP Daemon | A lightweight, efficient FTP server written from the ground up with | security in mind. Ahem. I'm working on it. Something is wrong with the PAM config... -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
On Sat, Sep 20, 2003 at 12:47:21PM +0200, Robert van der Meulen wrote: Hi, I was working on a newly-installed machine for a customer who requires an ftp server. After installing vsftpd (which i *had* good experience with), I noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to 'NO' *does* allow anonymous access. Logging in using the 'anonymous' user does not work, logging in using the 'ftp' user *does* work. The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled password on all machines where I tried this and saw it working. I was only able to test this with 1.2.0-2 . If anyone here is running vsftpd on a non-anonymous box, I'd make sure to check this too. In the case of this customer (who has pretty sensitive data on his box), this could have been quite a disaster. 'funny': |Description: The Very Secure FTP Daemon | A lightweight, efficient FTP server written from the ground up with | security in mind. Ahem. 1.2.0-3 is in incoming, or remove the pam_ftp line. If you're running something in situations that could be quite a disaster, I suggest you immediately rething using the version of vsftpd from _unstable_. -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
On Sun, Sep 21, 2003 at 10:40:40PM +0400, tokza wrote: I was working on a newly-installed machine for a customer who requires an ftp server. After installing vsftpd (which i *had* good experience with), I noticed that the 'anonymous_enable' switch in /etc/vsftpd.conf, when set to 'NO' *does* allow anonymous access. Logging in using the 'anonymous' user does not work, logging in using the 'ftp' user *does* work. The 'ftp' user is listed in /etc/passwd and /etc/shadow, and has a disabled password on all machines where I tried this and saw it working. I was only able to test this with 1.2.0-2 . What are you talking about? This is my box running fbsd 4-stable, vsftpd-1.2.0, anonymous access disabled: (take no look at the banner string, this is just kidding :) 22:36:32:toxa $ ftp toxa.lan Trying 192.168.2.1... Connected to toxa.lan. 220 toxadomain Microsoft FTP Service (Version 5.0) Name (toxa.lan:toxa): ftp 530 Permission denied. ftp: Login failed. ftp quit 221 Goodbye. 22:36:39:toxa $ I use vsftpd.user_list with users allowed to acces to my box, ofcourse there's no 'ftp' user in it. If that's built for FreeBSD then it probably doesn't use PAM. This is a bug in the Debian PAM configuration. -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How efficient is mounting /usr ro?
Matt Zimmerman wrote: On Fri, Oct 17, 2003 at 06:26:01PM +0200, Bernd Eckenfels wrote: And to reply to myself: Information Security - As defined by ISO-17799, information security is characterized as the preservation of: * Confidentiality - ensuring that information is accessible only to those authorized to have access. * Integrity - safeguarding the accuracy and completeness of information and processing methods. * Availability - ensuring that authorized users have access to information and associated assets when required. ISO, I'm afraid, does not document either English or Information Technology. They are free to define terms however they like Preventing crackers from breaking into your system and stealing data preserves your information's confidentially. Preventing crackers from corrupting your data preserves your information's integrity. Preventing successful denial-of-service attackes preserves the availability or your information. So how are those definitions invalid? Daniel -- Daniel Barclay [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Web based password changer
Quoting Tom White [EMAIL PROTECTED]: Dear List, I'm looking for a decent, secure, web based password changer for user accounts. Something that I can install on a debian box with a minimum amount of tweaking, and that isn't really any less secure than a shell user changing their password locally over ssh. Is there anything out there that someone has had good experiences with? ~Tom White PS - how do you fit down the chimney? and please don't leave coal in my stocking this year. Horde(1) has a password module. Works on ldap and unix accounts. 1: www.horde.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Some clarifications about the Debian-security-HOWTO
On Sat, Feb 21, 2004 at 09:09:24AM +0100, Adrian 'Dagurashibanipal' von Bidder wrote: ... and sometimes people forget to leave urgency at 'high' until the fix is really in testing when they upload a new version. Doesn't make a difference. The testing scripts take into account the maximum urgency between the version in testing and the version in unstable. Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: libxml, libxml2; Debian Security Advisory DSA 455-1
On Fri, Mar 05, 2004 at 11:20:09AM -0700, s. keeling wrote:
Incoming from Martin Schulze:
s. keeling wrote:
Incoming from Martin Schulze:
Debian Security Advisory DSA 455-1 [EMAIL PROTECTED]
Package: libxml, libxml2
libxml2 is a library for manipulating XML files.
[snip]
For the stable distribution (woody) this problem has been fixed in
version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2.
.
(0) root /root_ apt-get install libxml libxml2
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package libxml
(100) root /root_ dpkg -l | grep libxml
[snip]
ii libxml11.8.17-2 GNOME XML library
ii libxml22.5.7-1woody1 GNOME XML library
So, is that libxml above a typo? Should I instead have done
apt-get install libxml1 libxml2? Suggestions? I'm using:
deb ftp://ftp.rfc822.org/debian-security/ stable/updates main contrib non-free
Please see the output of apt-cache show {libxml,libxml1,libxml2}.
That says libxml doesn't exist (W: Unable to locate package libxml),
so am I to take that as a hint that I only need update libxml2, since
the advisory doesn't mention libxml1?
libxml is the name of the source package that builds the binary package
libxml1 (among others). The names of all affected binary packages are
mentioned in the URLs at the end of the advisory. So the libxml1 package
on your system ought to be updated as well. Simply running apt-get
upgrade will likely do the right thing for you, by the way.
Regards,
Daniel.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: passwords changed?
On Sun, 11 Apr 2004, Noah Meyerhans wrote: On Sun, Apr 11, 2004 at 11:15:10AM +0200, LeVA wrote: I always compile the latest stable 2.4 kernel with loadable modules disabled, but I don't apply any kernel patches. Is this safe, or I must apply some security patch? None of the recent kernel-level vulnerabilities have required module support to be enabled. So no, it is not safe to run pre-2.4.25 kernels unless you manually apply backported fixes or use the kernels provided by the Debian security team. It is probably also worth pointing out that disabling module loading does *not* prevent people installing a kernel-mode patch (root kit) at all. It does make it slightly harder to achieve, but at least a few of the root-kit systems out there are happy doing a binary patch direct to the kernel, ignoring the module loader completely. The only situation I can see where disabling module loading will increase real security is where a device driver, or other code built as a module, has a root exploit available, or enables access to an exploit. A device driver with a flaw could do this, as could allowing someone to load (say) the SCTP protocol, and bypass your firewall as a result. Overall, though, disabling modules does not increase security more than a trivial amount. That said, I don't use modules or the module loader on most of my servers - the added management complexity of building a custom kernel is lower, in my experience, than the management complexity of dealing with module loading issues, especially at boot time. Daniel -- Confidence comes not from always being right but from not fearing to be wrong. -- Peter T. Mcintyre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users and security ibwebadmin
On 2 Jun 2004, Remco Seesink wrote: I tried the question below first on debian-mentors but harvested silence. Hopefully it is more on topic here. In part, that is probably because you asked a very hard question. :) [...] I am packaging ibwebadmin, a web administration tool for firebird and interbase databases. I ran into a problem with users and groups and wonder how to resolve it. The program runs some tools from the firebird packages (eg gbak, isql etc.) These tools work locally on database files. All the database related files are owned by the firebird user and group. The firebird tools run as the www-data user as they are invoked from the apache process. Adding www-data to the firebird groups seems a security risk for the database when it would be hit by a worm. New databases would still be created as the www-data users instead of the firebird user. Yes. This would also allow *any* user who had access to upload a CGI script to your system to control your database server; not a desirable state of affairs. Must I do something with suid? Not necessarily, but it is probably the easiest path to achieve the result you want. Make the firebird tools suid firebird? No, not a great idea. This gives anyone who has shell access to your system control over your database server; again, not really desirable. I am not experienced with ins and outs of suid but I understand they are often a source of security hazards. Yes. If you suid an application to another user, and I run it, I effectively just logged in as the other user to do that. How could I set it up secure so ibwebadmin is still able to process the database files? This is the hard bit. To do this, I usually follow this process: 1. write out *exactly* what admin task I need to achieve 2. write out *exactly* what information I need to achieve it 3. work out what security risks exist when that information is hostile 4. write a tool that exposes the smallest interface possible, and that actively defends against hostile information 5. try and work out if I can avoid using a suid tool anyway. ;) For example, for database creation I worked out that I needed: 1. the name of the database 2. the username for the 'admin' user of that specific database I was then able to write a script that, given that information, verified that it was all valid, then created the database as appropriate. That said, the other option is to use the Apache `suexec' functionality to run your CGI script as the firebird user. That is probably less work, but is correspondingly less secure. If this questions are not basic and more appropriate for debian-security tell me and I'll take them there. I have been playing around with the firebird packages and have a version with some minor bugs fixes sitting on my harddrive. If it needs a firebird fix I could do that. (It's orphaned) The trick is to think of how any action could be exploited by a hostile user, rather than a friendly one. For example, the firebird admin tool you were thinking of making suid - does that allow running shell commands? If so, making it suid is the equivalent of granting all users shell access as the firebird user. Daniel -- A drug is neither moral nor immoral--it's a chemical compound. The compound itself is not a menace to society until a human being treats it as if consumption bestowed a temporary license to act like an asshole. -- Frank Zappa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba log directory
On 12 Jun 2004, Christian Christmann wrote: I just checked my /var/log/samba and found bunch of log files: log.shitbanda log.familj log.mario-t3psqfw32 log.talentoaa log.syb07 log.50163099sp log.gustavo log.momerdadd log.rampeiras When I understand samba correctly, it creates for each user who is trying to use my samba server a separate log file. But why do I have all these files from users I don't know? As far as I know, Samba used the *machine* name, not the *user* name, by default for those log files. Did these guys try to break into my linux box? Maybe, but I suspect not. More likely they were either (a) machine names you really know, or (b) broadcasts from other people on your LAN. If so, how can I recognize if they were successfull? Use tripwire, or the other tools like that which you installed and configured before anyone could possibly compromise your machine, and for which you kept secure off-line or read-only databases. Otherwise, read the logs and hope that you can identify the issue. Seriously, there really isn't any sure way of determining if someone broke into your systems successfully other than identifying unusual behaviour, or having an intrusion detection system in place before the break-in. Better to ask where the risks are, remove them, then rebuild the server from scratch if you are not sure you are safe. Regards, Daniel -- Regard all art critics as useless and dangerous. -- Manifesto of the Futurists -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On 14 Jun 2004, Noah Meyerhans wrote: On Sun, Jun 13, 2004 at 07:46:15PM +0300, Vassilii Khachaturov wrote: What are the recommended rbl's these days? Best thing is ask on NANAE or exim-users or whatever your favourite MTA is. Here's what I am using here RBL-wise: rbl_domains = bl.spamcop.net/reject : relays.osirusoft.com/reject :spamhaus.relays.osirusoft.com/reject : sbl.spamhaus.org/reject You do realize that the osirusoft blacklists are defunct and have been for several months, right? Basing your decision of whether or not to accept mail from a given host based on an answer from a defunct blacklist is probably not a good idea. This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Also, for Vassilii - you use the SpamCop blacklists. That is something that I would be very nervous of. They have some pretty liberal policies about what they accept, and their automatic tools are not that great at filtering out innocent parties... Daniel -- You come for me now with a cake that you've made Ravaged avenger with a clip in your hair Full of glass and bleach and my old razorblades Oh, where do we go now but nowhere -- Nick Cave, _Where Do We Go Now But Nowhere?_ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On 14 Jun 2004, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. Eh? You seem to have made an incorrect assumption about what I do to the mail with SpamAssassin. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). ...or, options 3, I deliver them to the end user tagged as likely spam when they look like spam. Then the end user can filter them out as they please. I certainly agree that bouncing SPAM messages, just like reporting virus infections, is an anti-social behaviour. If I chose to silently drop mail after accepting it, though, that is a legitimate and reasonable disposition of the content, as far as I can see. Claims that this is anti-social seem spurious to me; can you expand on your reasoning there? Anyway, as I said, I don't take either of the options you suggests. I use RBL tests at the SpamAssassin level because I *don't* trust them to be one hundred percent accurate. If I didn't care more about real mail getting through than the occasional missed spam, then sure, using RBL blocking at the initial SMTP stage would be ideal... Daniel -- ... Far down the vault a man was screaming. His fists were tightly clenched and he was screaming out imprecations against the humming computers. There was a hopeless rage in his eyes - rage and bitter, savage defiance. -- Frank Bellknap, _It Was The Day Of The Robot_ (1963) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On 16 Jun 2004, Hubert Chan wrote: Russell == Russell Coker [EMAIL PROTECTED] writes: Russell On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote: [...] SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. ...makes you wonder how long it will take before someone does generate the headers in SPAM, then. Being in SpamAssassin seems to be a trigger point for a whole lot of things to be worth avoiding/abusing for spammers - the silly haiku header thing being one example. Russell Besides, with an army of Windows Zombies you could generate Russell those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... ...and Windows does have a meaningful low priority for threads which will result in this being pretty much unnoticed by most users, even the observant ones. Sure, you need more machines to get the same effect, but it isn't like there is a shortage of them... OTOH, HashCash sucks a lot less than the other solutions out there, so I am all for it being more widely used; it would be interesting to see if it actually managed to take off. :) Daniel -- Organization and method mean much, but contagious human characters mean more in a university, where a few undisciplinables ... may be infinitely more precious than a faculty full of orderly routinists. -- William James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: running services in their own little world
On 24 Jul 2004, [EMAIL PROTECTED] wrote: Any package in Debian that will automatically run all /etc/init.d based deamons in jail / chroot? No, because it is not possible to provide a generic solution to running daemons under a chroot, for a variety of reasons. Regards, Daniel -- Nature provides a free lunch, but only if we control our appetites. -- William Ruckelshaus, _Business Week_, 18 June 1990 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
On 14 Aug 2004, s. keeling wrote: Incoming from Bernd Eckenfels: In article [EMAIL PROTECTED] you wrote: Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 ... It all depends on whether you have services running on your machine that listen on DPT (445 in this case). If something is there to pick up the phone so to speak, anything can happen. That service could answer on another port altogether. Well, you need to check if DST= is a local address, anyway. Are you suggesting that I might see stuff in my logs that was destined for a foreign IP? Not often, but occasionally, depending on how your ISP connects you to the Internet. It is most common on a LAN or a cable setup. If so, that would make me an open mail relay, no? No. Being an open mail relay would make you an open mail relay. Your firewall has pretty much nothing to do with that -- only the configuration of your mail server really matters. Have you considered using some sort of friendly setup, such as shorewall or firehol, to deal with the technical details of firewalling for you? I sounds like you are pretty unsure on your feet here, and those tools take a lot of the uncertainty out of building a firewall... Regards, Daniel -- We can keep from a child all knowledge of earlier myths, but we cannot take from him the need for mythology. -- Carl Jung -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: JavaScript and Cookies enabled in Browser
On 20 Aug 2004, Don Froien, III wrote: I was recently in a meeting where members of the IT group propose to use a utility called WebEx to perform remote compiles. Webex offers SSL encrypted transfers and the ability to offer only selected members to the meeting (remote compile in this case) and offers the transfers over https (port 443). Sounds like a cute idea, but I don't quite see how it manages remote compiles. The issue I see with this approach is that WebEx uses a browser interface that requires the browser to have Java Script and Cookies enabled. I have always been under the impression that those two items were considerable security issues. I think you are significantly overestimating the security risks there. With an up-to-date browser, even IE, they don't pose too much of a risk. Certainly, cookies are almost no risk. The worst case is that they allow remote information gathering, or allow someone to steal the cookie and impersonate you. In either case there are normally easier ways to take over a machine. :) Does anyone know of any URL's or downloadable papers that will strengthen my argument against this approach? I believe a VPN solution to be more appropriate, but am being told that the WebEx approach is more secure. This strikes me as a dubious claim. If, as they claim, they use the browser SSL layer then they could be *as* secure as an IPSec or SSL VPN system at best, and could be completely insecure. If anyone knows a reason that this approach is secure, please advise also. If this really matters to you, do a real risk analysis of the situation: Draw up a list of the things you need to protect or prevent. Draw up a list of ways that people could attack those things. Draw up a list of ways to ensure those attacks do not succeed. Then, compare the final list to the various solutions on offer - VPN, WebEx, etc, and see which one achieves the best practical security. For what it is worth, though, I wouldn't trust the WebEx system to be more secure than a VPN in combination with a Firewall, simply because it trusts weak components (end user systems) for security, and because I can see no external review of the quality of their implementation. If you really want them to look bad, grab papers where people have done a security review of various VPN systems and ask for the same for the WebEx system... Daniel -- Laughter is our safety valve. It helps us get through Sarajevo and the stupid things politicians do. -- Jerry Lewis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MD5 collisions found - alternative?
On 24 Aug 2004, Robert Trebula wrote: Maybe you have already noticed - collisions have been found in MD5 hashing algorithm: http://eprint.iacr.org/2004/199.pdf http://www.freedom-to-tinker.com/archives/000664.html http://www.unixwiz.net/techtips/iguide-crypto-hashes.html My question is: Is there an easy way to make my debian sid installation use something else (better) than md5 for various things? Namely SHA-1 with some longer output in PAM. The SHA family have also been found to be weaker than expected also, so it looks like both common crypto hash sets are on somewhat shaky ground at the moment. The best current answer is probably to wait a month or two as the dust settles and the crypto community, especially through the IETF, move forward with recommendations about where we go from here. Jumping half-prepared to some other hash opens the door to a second costly migration if your hash of choice turns out to be the wrong one. ;) Also, while there are issues with those hash algorithms, I don't think they are quite bad enough that there is a significant *immediate* risk to my systems; the cost of breaking in through the detected collisions is lower than the risk of a bad password, etc. Daniel -- In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away. -- RFC 1925 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MD5 collisions found - alternative?
On 24 Aug 2004, Sam Vilain wrote: Robert Trebula wrote: Maybe you have already noticed - collisions have been found in MD5 hashing algorithm: [...] I think cryptanalysts have 'cracked' pretty much all of them, though with practically prohibitive costs of cracking them (eg, 2^50 for SHA-0). [...] My personal thought is that you could make the hash more secure simply by running md5 and SHA1 (maybe pepper on another one for good luck) across a single stream at the same time, and simply xor the resultant hashes together. You could pretty much add up the cost of the attacks against the keys. Be aware that this sort of technique multi-encryption technique can lead to significant exposures when applied to traditional crypto; it can produce results that allow a vastly simpler attack on the protected information. I would not put my name to a recommendation about how to make a cryptographic product or protocol more secure unless I had sufficient background in the area to know the full implications of my recommended actions. Regards, Daniel -- If a joke is worth telling, it's worth telling once. -- Ollie MacNoonan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MD5 collisions found - alternative?
On 25 Aug 2004, Matthew Palmer wrote: On Tue, Aug 24, 2004 at 12:20:24PM -0400, Phillip Hofmeister wrote: On Tue, 24 Aug 2004 at 10:50:38AM -0400, Daniel Pittman wrote: Be aware that this sort of technique multi-encryption technique can lead to significant exposures when applied to traditional crypto; it can produce results that allow a vastly simpler attack on the protected information. I would not put my name to a recommendation about how to make a cryptographic product or protocol more secure unless I had sufficient background in the area to know the full implications of my recommended actions. If I understand your postulate correctly: If I, the user, encrypt a message with algorithm X and the cipher text is intercepted by the attacker. The attacker can make his chances of brute forcing the text BETTER by encrypting my cipher text with algorithm Y. This simply does not hold up. For random values of X and Y, you are correct, there is no reason to assume that you will get an easier time of it. However, there are plenty of examples where (for instance) applying the same algorithm N times does not produce N times the security, or even the same level of security. The same adverse interaction occurs when you mix different algorithms. [...] It's those sorts of tricky interactions (which aren't immediately obvious) which I'm sure led Daniel to warn of the dangers of simplistic security upgrades. Matt is entirely correct in his statements - this is *precisely* the issue that I am concerned with. I cannot say that SHA1(f) xor MD5(f) is weaker or stronger than either of those two on their own, because I don't know cryptographic algorithm design well enough. It is very hard to design a good cryptographic algorithm, though, and even harder to build a useful cryptographic system around a good algorithm. To quote from memory, unless you happen to be Bruce Schneier you probably can't design a secure cryptographic system on the back of a napkin, and you are almost certainly better off not trying. :) Regards, Daniel -- Crying loud, you're crawling on the floor Just a beautiful baby, You're nothing more -- Switchblade Symphony, _Clown_ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spyware / Adware
On 1 Sep 2004, Jim Richardson wrote: On Tue, 31 Aug 2004 16:50:09 +0200, Adrian 'Dagurashibanipal' von Bidder [EMAIL PROTECTED] wrote: On Tuesday 31 August 2004 13.30, Volker Tanger wrote: [spyware/adware/trojans/...:] Yes and no. When surfing as normal user *ware programs cannot install themselves as system services or overwrite programs simply as you/they do not have the (file) permissions to do so. Technically, for most purposes, malware installing itself into an unprivileged user account and automatically starting itself through /.bashrc or whatever is entirely possible, especially since most malware these days seems to be used only as a base for DDOS attacks (including sending spam), so no special privileges are necessary here. (And KDE and Gnome are currently catching up nicely in the number of little useful (?) daemons that are started on a desktop machine.) There is no click the attachement and install the malware without your knowing it, in Linux. Nonsense. The 'Gnus' mailer was modified a while back so that it would not automatically execute a MIME part containing elisp code; that is *precisely* the sort of issue you claimed was impossible. *Most* mail clients under Unix are better written than to do that, but between remotely exploitable issues with image rendering and the push toward user friendly defaults there is no reason why this could not happen. Regards, Daniel -- Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young. The greatest thing in life is to keep your mind young. -- Henry Ford -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spyware / Adware
On 1 Sep 2004, s. keeling wrote: Incoming from Daniel Pittman: *Most* mail clients under Unix are better written than to do that, but Even mutt (a terrific MUA) _can be told_ to automatically handle MIME types for you, if you want. It just depends what's in your /.mailcap, and that can contain any sort of command you can imagine. *nod* Very true. Certain other mail viewing tools, including metamail, will just invoke whatever command happens to be in mailcap for a MIME type. If you want it to mangle your user data when it runs across a malicious png, it can do that. That doesn't mean it has to. It only means you have that option. There's nothing inherently wrong with an MUA being able to do this. I don't mean to suggest there is. I also don't agree with the OP who claimed that Linux was immune to this sort of error; automatic code execution can cause Linux as much pain as Windows, but usually doesn't due to better security practices. Daniel -- We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil. -- Donald E. Knuth, _Structured Programming with go to Statements_ (Computing Surveys, Vol. 6, No. 4, December 1974) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
