-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 308-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
June 6th, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 309-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
June 6th, 2003
On Thu, Jun 05, 2003 at 09:30:51AM +0200, Luis Gomez - InfoEmergencias wrote:
We'd like to protect that content, so that even if someone unplugs the machine
and connects the HD to another Linux box, they can't access that information.
Of course it's difficult to do, but we think there might
You can encode your php scripts (in standalone cgi mode or apache served)
with the open source gpl php encoder/optimizer turck mmcache. The readme
says that the encoding it's not recommended for production use yet, but it
works like a charm.
Good Luck,
Koba
On Thu, 5 Jun 2003 09:30:51 +0200,
Against a sophisticated attacker, it's totally impossible to do what you
want. They could run bochs an boot the x86 emulator from the new hard
drive, and examine the contents of the system's memory whenever they wanted.
Obviously, that's not easy, since you have to figure out where the
Hey there,
--On Thursday, June 05, 2003 11:14:36 AM +0200 Marcel Weber
[EMAIL PROTECTED] wrote:
Luis Gomez - InfoEmergencias wrote:
We're already looking at that (btw, IIRC loop-aes is included into the
cryptoapi of kerneli.org). The problem is what Dariush points: if your
machine has the pass
Think about this:
Use a encrypted loopback. To get the key without storing it on the
computer:
Get some kind of unique combined fingerprint of the computer and hd
through a c/c++ programmed algorithm and sending them to a secure
password server using some kind of (variable server provided
Harry Brueckner wrote:
On the other hand - what will you do if your server gets a hardware
problem and you have to replace/expand the system with a new NIC, add
another CPU, exchange anything in the box.
So after a simple hardware problem all your own data is lost as well,
even if the
On Thu, Jun 05, 2003 at 12:53:43PM -0300, Koba wrote:
Think about this:
Use a encrypted loopback. To get the key without storing it on
the computer:
Get some kind of unique combined fingerprint of the computer and hd
through a c/c++ programmed algorithm and sending
On Thu, 5 Jun 2003 14:15:45 -0300, Peter Cordes [EMAIL PROTECTED]
wrote:
If the attacker runs it under an x86 emulator like bochs, they don't need
to sniff the network, just look at memory after it's decrypted. Also,
what
I suggested was an attempt to avoid dependence on a network. I'd be
Good evening (here in Spain) to all of you.
I want to sincerely thank you all for the great feedback received on this
topic. I would never have expected to receive some 20 answers in such a short
time! Let me take my time to write your names, because you deserve it:
Thank you Dariush, Adam,
W licie z czw, 05-06-2003, godz. 07:30, Luis Gomez - InfoEmergencias
pisze:
Hello!
We'd like to protect that content, so that even if someone unplugs the machine
and connects the HD to another Linux box, they can't access that information.
Of course it's difficult to do, but we think there
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80) to multiple port numbers,
and usually multiple addresses as well. Sometimes they are randomised,
(Port
On Thu, Jun 05, 2003 at 08:29:10PM +0100, Hamish Marson wrote:
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80) to multiple port numbers,
and usually
In article [EMAIL PROTECTED]
[EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone (Or
multiple someones) are attempting to send tcp packets inbound to our
network FROM well known ports (e.g. port 80)
Some firewalls that don't do proper connection
Hi,
currently I'm setting up a gateway machine for a small office
network. After the recent threads about rooted woody boxes I feel it
would be iresponsible to set up a box without a grsecurity patched
kernel.
The problem is I also need the box to be a VPN gateway. One of
the reasons I got the
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon to see incoming traffic from
On Thursday 05 June 2003 22:32, Vinai Kopp wrote:
Hi Vinai,
There seem to be problems using both the grsecurity and the freeswan
patches (at least I haven't been successfull applying the patches - I
tried the debian versions and the official ones from the different
project sites of the
On Thu, Jun 05, 2003 at 08:58:43PM +0200, Luis Gomez - InfoEmergencias wrote:
Other interesting things to look at:
- LICENSING ISSUES. As Peter Cordes commented, the kernel is GPL so if we
integrate code into it, we cannot provide a binary-only version, we should
also give away the sources
On Thu, Jun 05, 2003 at 10:32:59PM +0200, Vinai Kopp wrote:
Hi,
currently I'm setting up a gateway machine for a small office
network. After the recent threads about rooted woody boxes I feel it
would be iresponsible to set up a box without a grsecurity patched
kernel.
The problem is I also need
Vinai == Vinai Kopp [EMAIL PROTECTED] writes:
[...]
Vinai There seem to be problems using both the grsecurity and the
Vinai freeswan patches (at least I haven't been successfull applying
Vinai the patches - I tried the debian versions and the official ones
Vinai from the different project sites
Hamish Marson [EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone
(Or multiple someones) are attempting to send tcp packets inbound to
our network FROM well known ports (e.g. port 80) to multiple port
numbers, and usually multiple addresses as well.
Hi there
I'm trying to generate a 40-bit certificate using OPENSSL.Can anybody tell me if this
is possible and with which package?
Thanx
LeRoux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi there,
I have debian (stable) with a stock kernel from kernel.org (2.4.20) with
FreeSwan 1.99 and grsecurity 1.99h. Worked without a problem so far.
The order of pachtes was first FreeSwan, then grsec, if that makes any
difference...
Good luck,
Noah Meyerhans wrote:
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all uncommon
Hamish Marson [EMAIL PROTECTED] writes:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
work and look for similar
On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
Okay, I already posted this message to debian-users, but please don't
flame me - i just figured that maybe debian-security is the better place
to post a request for help like this. Clearly enough this is a security
concern, after all. So maybe you could be so kind and help me out on
this one:
Is there some reason why you can't give each user an account and have them put their
files in ~/public_html? That would have their page show up at domain.net/~username/.
Sorry if you already knew this and I'm misunderstanding the problem.
On Sat, 07 Jun 2003 00:03:59 +0200
Juan Antonio Agudo
Hi,
On Sat, 07 Jun 2003 00:03:59 +0200, Juan Antonio Agudo writes:
I want to enable some friends of mine to host their web pages on
my woody server. It has Apache LAMP running in great shape and it
suits my Web page just fine. The Problem that I have now is, that
the apache user is www-data.
Hi !
apt-get install openssl
There is two text files in /usr/share/doc/openssl-(version)/docs/HOWTO
Shows how to create an RSA key and a certificate request/self signed
certificate ...
[]'s
On Fri, 2003-06-06 at 05:27, Van Wyk Leroux, Mr wrote:
Hi there
I'm trying to generate a 40-bit
From: Luis Gomez - InfoEmergencias [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Keeping files away from users - THANKS!!
Date: Thu, 5 Jun 2003 20:58:43 +0200
MIME-Version: 1.0
Received: from murphy.debian.org ([146.82.138.6]) by
mc5-f31.law1.hotmail.com with Microsoft
On 06 Jun 2003 16:15:37 PDT, Jon writes:
I believe Apache would still be executing php/cgi scripts as www-data,
so users could snoop on other users's scripts, session files, etc.
Something like:
?php echo `ls ../neighbor/public_html`; ?
I suggest you look up the suEXEC Apache module, it seems to
Hamish Marson [EMAIL PROTECTED] writes:
I've noticed some strange traffic on our firewalls recently. Someone
(Or multiple someones) are attempting to send tcp packets inbound to
our network FROM well known ports (e.g. port 80) to multiple port
numbers, and usually multiple addresses as well.
Hi there
I'm trying to generate a 40-bit certificate using OPENSSL.Can anybody tell me
if this is possible and with which package?
Thanx
LeRoux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi there,
I have debian (stable) with a stock kernel from kernel.org (2.4.20) with
FreeSwan 1.99 and grsecurity 1.99h. Worked without a problem so far.
The order of pachtes was first FreeSwan, then grsec, if that makes any
difference...
Good
Noah Meyerhans wrote:
On Thu, Jun 05, 2003 at 10:02:53PM +0200, Christoph Haas wrote:
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
No, it's not at all
Hamish Marson [EMAIL PROTECTED] writes:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
work and look for similar
On Fri, Jun 06, 2003 at 10:12:05PM +0200, Florian Weimer wrote:
But does nmap generate the packets WITHOUT the SYN flag set? Which is
what these are...
In this case, it's probably backscatter. Could you tell us a few
source/destination pairs? I could have a look at our flow database at
Okay, I already posted this message to debian-users, but please don't
flame me - i just figured that maybe debian-security is the better place
to post a request for help like this. Clearly enough this is a security
concern, after all. So maybe you could be so kind and help me out on
this one:
Is there some reason why you can't give each user an account and have them put
their files in ~/public_html? That would have their page show up at
domain.net/~username/.
Sorry if you already knew this and I'm misunderstanding the problem.
On Sat, 07 Jun 2003 00:03:59 +0200
Juan Antonio Agudo
Hi,
On Sat, 07 Jun 2003 00:03:59 +0200, Juan Antonio Agudo writes:
I want to enable some friends of mine to host their web pages on
my woody server. It has Apache LAMP running in great shape and it
suits my Web page just fine. The Problem that I have now is, that
the apache user is www-data.
Hi !
apt-get install openssl
There is two text files in /usr/share/doc/openssl-(version)/docs/HOWTO
Shows how to create an RSA key and a certificate request/self signed
certificate ...
[]'s
On Fri, 2003-06-06 at 05:27, Van Wyk Leroux, Mr wrote:
Hi there
I'm trying to generate a 40-bit
On Fri, 2003-06-06 at 15:42, Tim Cunningham wrote:
Is there some reason why you can't give each user an account and have them
put their files in ~/public_html? That would have their page show up at
domain.net/~username/.
Sorry if you already knew this and I'm misunderstanding the problem.
From: Luis Gomez - InfoEmergencias [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Subject: Re: Keeping files away from users - THANKS!!
Date: Thu, 5 Jun 2003 20:58:43 +0200
MIME-Version: 1.0
Received: from murphy.debian.org ([146.82.138.6]) by
mc5-f31.law1.hotmail.com with Microsoft
On 06 Jun 2003 16:15:37 PDT, Jon writes:
I believe Apache would still be executing php/cgi scripts as www-data,
so users could snoop on other users's scripts, session files, etc.
Something like:
?php echo `ls ../neighbor/public_html`; ?
I suggest you look up the suEXEC Apache module, it seems to
46 matches
Mail list logo